Peer-To-Victim File Sharing

ShareSniffer is profiled in a SecurityFocus article today. The company has come up with a new and guiltless way to trade MP3s: just use someone else's hard drive. They have a "bevy of lawyers" (bevy, n., a group, esp. of girls or women) who say taking advantage of public Windows shares is perfectly legal. And why not? Clicking "I Agree" without reading a license agreement is legally binding, right? So when you click "Share This Folder," whether you understand its implications or not, you've authorized the world to play with your drive, and have no right to complain.

</devilsadvocate>

Re:We have to respond to this

[pogen]

What if I WANT to share my files...but not to ShareSniffer users?

What if you wanted to share your files with men, but not women? Or blacks, but not whites? Or group A, but not group non-A? You can't. The closest you can get is to share files with those who know the password, but not with those who don't. This has nothing to do with ShareSniffer, it is just the nature of file-sharing.

Re:This is just silly

[GMontag451]

Neither do HTTP servers, so is viewing a web page without an invitation from the webmaster a crime?

shitty

[twitter]

The lawyers seem to always try to re-word everything so that things are selectively illeagal or wrong. Personally, I'm getting tired of the bullshit with the lawyers in America, but that is another topic.

Yeh, me too.

What remains to be seen is: who is liable for the (alleged) illeagal material on one of the public shares? Is the user reasonably expected to make sure the material is legal?

The poster (assinine) is responsible. This is no different any other public share or common carrier. Putting Britany Spears on someone else's computer is an abuse in more ways than one.

Re:We have to respond to this

[trcooper]

No, It's pretty clear cut that what Bob and Joe are doing is wrong. If I leave my garage open and during the day someone decides to take a rake, shovel, or other implements of destruction, or decides to park their VW mini-bus there that's wrong.

Sure my insurance company isn't going to cover this because it was my fault I left the garage open, but the police will arrest the person who took my implements of destruction, assuming they locate them.

Additionaly if I started a business that looked for open garages, and then let people know about it, I would assume that the authorities would quickly stop me.

What these guys are doing is clearly wrong. Taking advantage of someone else's property without explicit permission is wrong whether you gain access through an open door or open share.

Re:We have to respond to this

[B14ckH013Sur4]

I MUST disagree with the Troll tag here. He's right; and what's more is this thought...
What about all those Doze users who bought/DLd RH or Mandrake, or even Slackware, only to realize six-months later, that they've been running a wildly-successful anon-FTP?
It's the same thing, you're setting up a disk-share over a hostile protocol.

Re:We have to respond to this

[ADRA]

Your post was trollish.

I mean, you totally contradict the previous poster's message, then you give an ambiguous one line description of why it is wrong.

Don't change the mod. (I guess my comment was trolling too.. doh!)


Thus Spake ADRA

Re:I'm glad someone finally did this

[NoOneInParticular]

Nope, the default share in NT is 'everyone: full control'. Which service pack are you running? (I lost track at 6)

Re:goodie!

[SetiMike]

So you are saying that this software is the equivalent a flashlight that you use to walk around a dark neighborhood looking for open doors?

Where do you get the 'come on in' sign with file shares?

All I know is...

[-=OmegaMan=-]

I will be handing out violations for people using this "tool" on my network. Your ISP will probably be doing the same thing. Care to chance it? >:)

Re:How did all this schisse porn get in my MP3 sha

[CSG_SurferDude]

That's not funny..

Giggle giggle

I mean, that's just SICK

Giggle giggle

That's not even funny to joke about!

Laugh Laugh, Fall out of chair to the ground...

Re:We have to respond to this

[TheTomcat]

I have.

It's often not simple to find out what email address belongs to specific IPs, though.

I've actually used an open print-share to print a message like "You're sharing your printer to the world. This can be fixed by right-clicking on your printer and selecting 'sharing', then assigning a password. If you need help, please feel free to email me at ........."

But then they just get scared and think I'm some cracker. People don't listen until someone gets hurt.

I'm not trying to be elitist about this, but look, for example at the DDoS stuff a year or so ago. Nobody cared that it was possible, until it hurt a bunch of dotcoms, then there were all kinds of outcries, and now the problem has died, and nobody cares now. Even though DDoS is still very possible.

"A person is smart. People are dumb, panicky, dangerous animals, and you know it."
-Kay, Men In Black, 1997

I tend to agree fully. (-:

Remember the #1 Choice

[sdelic]

It continues to humor me how the access of someones files without them knowing about is compared to someone breaking into someones home and looking through their drawers. Fact of the matter is we all make choices and a person 'chooses' to connect their PC to the public internet and 'chooses' to keep data on that PC. There are plenty of choices to make here if a user just doesn't want to have to deal with being responsible and securing their own PC or if they lake the intellect needed to do such a task they are more than welcome to subscribe to WEBTV or TVIO or another service that is a little less intrusive. One day this 'internet welfare' that we dish out to the millions of cluess individuals every year might just stop. Let's compare these demands these clueless idiots make on the net to the real world of business say purchase of a car. I purchase a car and take it out on the highway and total it beyond repair. I think along these same lines of thinking I should be able to take it back to the dealer and get a brand new car because I 'didn't know' that you were soupsed to apply your brakes when your going 100MPH and approaching a brick wall.

Re:Remember the #1 Choice

[bbuda]

I love this Slashdot Darwinian idea that "all the stupid M$ Windoze users will get their comeuppance for supporting Satan himself Bill Gate$ and see the shining light that is Linux", but the fact is that the average PC user doesn't think twice about networks and couldn't tell you what NetBIOS is. I know this seems like a crime from the hacker point of view, but its true: most people don't have the time to care. This is a major security hole in Windows and I hope MS takes action against it. The problem here is not stupid users, nor is it evil software written by evil port scanners. Its a hole in Windows, an otherwise excellent OS.

Re:Windows file sharing security

[theNetImp]

Yeah, but there is also that checkbox thing that says, "Don't remind me of this in the future."

-james

Cool

[cwhicks]

I'm going to start trying peoples backdoors at night to see if they're unlocked. I guess if they're unlocked they want me to come in and rummage around.

This won't go anywhere except with a few kiddies who are immoral anyway.

Re:I'm glad someone finally did this

[cavemanf16]

Ahhh, but apparently no one was aware of the back door this lazy IT guy had created for at least a while. Very damaging for a company for ShareSniffer to allow everyone to just jump on and download Company X's next big account and project details, then upload some virus to clear that info and erase the details of their visit through your system. I applaud you for your detective work, but just think what could have happened if you hadn't noticed it!

Re:I'm glad someone finally did this

[jayhawk88]

Explain to me this concept of a default share, for I have not seen it.

At least in 98, it works like this: Windows does not enable file sharing by default. Nor do any major computer manufacturers enable it by default, as far as I know.

The problem comes when people start hooking their Windows computers up to their own LAN's. If you want to share files/printers between the upstairs and downstairs machines, you enable File Sharing support. You get a window asking you to create a share name for your share, and if you want to set a password. The default share name is "C" or "C-drive", something like that. And while there is a password-protect option, it's not required to create the share.

Also of note: the share is automatically enabled for every network protocol you currently have installed on your system. So if you only intend to share your files via IPX locally, if you have TCP/IP, or worse, NetBui, installed, it get's shared over those as well. You have to manually go in and un-bind the other protocols from Microsoft Networking.

This obviously isn't much of a problem until you start throwing DSL and cable lines into the mix, but there's where it becomes a big problem. Chances are most Windows users barely have a clue what a protocol or drive-share even is, let alone why they shouldn't be sharing it without a password over their cable modem.

Personally, I don't really buy this whole "they left it open, they deserve what they get" mentality. Come on people, we can't all be l33t h4x0rs. "You deserve what you get" doesn't fly when talking about cell-phone radiation, or getting mugged while walking to your car after dark. What's needed is a little education, not exploitation.

Re:Why Not

[Kwantus]

shouldn't you also go to jail if you steal MP3's from a hard-working artist?

The RIAA's been stealing from the artists for years without being jailed... why should anyone else? The RIAA's pissed that some artists now have a bypass to the listeners that's as or more lucrative to the artist than the one through the RIAA, so the RIAA wants to choke it off. And you've buying into the RIAA-backed propaganda.

Re:I'm glad someone finally did this

[frankie]

Ack. My mistake, thanks for making me find some answers.

Here's the story -- as a favor, I maintain a dozen Win9x PCs in my department. A couple years ago, I noticed one that stupidly had C: as a read/write guest share. Then I went around the room and discovered that all of them were ready to do this -- all you had to do is right click "Sharing", switch from "Not Shared" to "Shared As...", and C: would be open to the public.

Ever since then I've assumed that this was Windows default. After a few tests and phone calls I found the truth. The IT guy who set up these PCs in the first place was lazy and wanted to handle tech support without leaving his desk. It was part of his standard config. How dumb is that?

Sorry for the false alarm, and thanks for the replies.

Re:RIAA should clamp down on netbios!

[Anomynous+Coward]

> This is all using TCP/IP and SMB. No NetBIOS that I'm aware of.

I was under the impression SMB was just a subset of the ever evolving nasty 3-port 'netbios' application protocol suite.

Even if I slipped up, since when did facts stop /. 'ers posting funny comments? %^}

.vortex
--

So you don't ever use anonymous FTP

[BLKMGK]

I mean really, how is this different than finding an anonymous FTP server and downloading files? This is simply a tool to find those "anonymous FTP" servers right? The only difference is that instead of having to load up software to do the hosting all WINx machines come with this capability (shrug). Guess folks better begin thinking about locking their doors huh?

Haven't there also been legal cases where people have come through unlocked doors and not been found culpable because the owner didn't take prudent steps to secure their property? I have knowledge of a case where a man was sued for not locking his door - the would be assailant was mauled by the Pitt Bull and nearly killed. Unfortunatly the owner came home and dialed 911, thus saving his life (baaaad bleeding). The assailant then successfully sued - amazing huh?

Oh, IANAL ;-)

Re:So you don't ever use anonymous FTP

[trcooper]

I've heard of the odd cases where a intruder has sued a property owner for negligence, but I've never heard of a thief being let off because he didn't have to forcefully break in. Point is you can't/shouldn't take advantages of someone else's property without proper authorization.

Most open windows shares are not meant to be open to the world, they're mistakes, you can't reasonably assume that your neighbor wants you to access his hard-drive simply because you can see it. Because someone doesn't understand how these shares work or how to secure them doesn't give anyone the right to take advantage of them.

Re:So you don't ever use anonymous FTP

[Kharny]

Still, LEGALLY, he accepted to share the drive/folder/directory. According to the share program, you explictly share the item with other users of the network, be it internet or other.

Re:So you don't ever use anonymous FTP

[Chandon+Seldon]

The internet is made up of a bunch of hosts. Each of these hosts provides zero or more services to the rest of the network, things like HTTP, FTP, telnet, SSH, maybe a MUD, etc.

If a given machine serves files in response to an HTTP request, you can assume that the owner of that machine intended to give you access to the files that his HTTP server is serving. The same is true with anonymous FTP.

If you try to connect to telnet/SSH/a MUD then the server will usually not let you use the service without authenticating yourself. In this case you can assume that the owner of the machine did *not* intend to let you use the service, unless they gave you a username/password.

Any other service should be similar, if it allows non-authenticated anonomous access, then you can assume that the owner intendended to let you use that service.

Re:Talk about a non-issue...

[GMontag451]

And what about the virus thing. If all of a sudden there are new files on your hard drive, don't run them. You can't remotely execute this way (of course, if someone was really dumb, and shared commonly used executables, I guess you could replace them).

Or they share out their WINDOWS or WINNT directory. This is how the 911 worm spread. It just copied itself to the Startup directories (forgot the full paths).

Re:Might work...

[BrK]

All in all, the door is a bad argument. The physical door itself is a symbol in today's society of a barrier. People are taught to knock and *request* permission, not just merely *open* the door, unless there is a "Come on in" type of sign.

With file sharing you have specifically left the door open, and hung out a come on in sign.

Unless you have an access control system for the door, you cannot leave it unlocked for specific people, so you have to leave it unlocked for everyone.

With file sharing, you can specificy a password, and different users, and thus can allow in only the people you *want* to come in. Specifying "full access" means just that. If you're too lazy to lock it down properly, so be it.

Open Source!!

[SetiMike]

They should at least open source the program se we can the ability to scan for open NFS shares!

The ShareSniffer product could be prosecuted

[andyo]

Aside from violating people's privacy, I imagine ShareSniffer Inc. could be dragged into court (and I'd say they deserve it) using that same "vicarious and contributory infringement" language you see on all the other lawsuits for software that copyright holders don't like. I'm not a lawyer, and it would be interesting to see what an IP lawyer would say about this. But ShareSniffer is making it a hundred times easier for people to copy and share files; looks like the same difference to me.

Re:Bevy?

[JRiddell]

Ah'm fae an Irn-Bru ta

Re:Oooo...

[unitron]

Are you from Charlotte?

Re:Might work...

[BrK]

But that definitely does not give you the right to take things from inside the house (or computer system),

In the house, if there is a VCR and I take it, then the original owner has lost all use of it. What if I came in and *cloned* the VCR, so the original owner still had his fully functional unit, but now I jad one just like it?

If you need to temporarily unlock your backdoor, specifiy a password, even if it's insanely simple.

If you allow write access ..

[kd5biv]

.. you deserve whatever you get. Sorry, but I agree that leaving the door unlocked is an open invitation to this behavior.

Yes, I know, it's unethical, rude, thoughtless, and selfish of people to use your open public share as a cache for things they don't want to store on their own drives, but allowing public write access to *any* directory on a machine you own and/or "administer" is about as smart as running your HTTP server as root and passing URL text to the shell. If you don't understand why either of these are bad .. well, you shouldn't be setting up any public shares. Sorry, but the presence of ethically challenged k1dd13s out there is a known issue with Internet connected machines. No sympathy here.

Use this and get TOSsed!

[Stavr0]

Basically, almost all ISPs worthy of the name specifically prohibit portscanning and other forms of remote tampering. If you start mucking around with ShareSniffer, your ISP will start receiving all sorts of abuse reports from many sources. They will not be happy.

I've got enough netbus/subseven hits on my f-wall as it is; If it starts logging ShareSniffer hits on top of that, well the emails to abuse@whateverisp.com will start flying again ...
---

Re:yes and no

[TheCarp]

> When Sally runs her anon ftp server, she is most
> likely savvy enough to realize that people will
> use it.

So what your saying then, by implication, is that if someone runs windows we should automatically assume that they are stupid and have no clue whatsoever?

That is a great stereotype and I, for one, am extremely amused by it.

-Steve

Bevy?

[JRiddell]

Group of girls??? Nonesence, ivrybody in Scotland kens it's a pack ay beer or ither booze.

Jonathan Riddell

http://scots.jriddell.org for translation of Mozilla intae Scots

Re:Bevy?

[white+light]

that's 'bevvy', not 'bevy'

Re:I'm glad someone finally did this

[jayhawk88]

Well I think your right that 98 doesn't by default create a share. Thing is though, you have to create a share before you can share your files: so anyone who's in the situation of having their computers used in the way described by the article would have figured out how to create the share at least.

I'd really consider this a Windows "vulnerability" more than anything. Really, Windows ought to make the user create a unique share name, or force them to use some sort of password. But then, if Windows did stuff like this, it wouldn't be the crappy OS we know and hate I guess.

NetBEUI's OK for sharing on a local LAN for sure, but you throw that LAN on the internet, and it's wide open. I haven't messed with it for a while, but NetBEUI's full of all kinds of commonly known security holes. Again, a Windows "vulnerability", as doesn't NetBEUI get installed by default if you install Windows Networking? Maybe that was just Win95...

Re:AUP's don't trump dumb users

[Tackhead]

>And you are thinking that these people who could not figure out how to close their shares are going to be smart enough to know that they're being sniffed?

Most dialup spammers die pretty quickly, even with an estimated one-in-10000 abuse reporting rate.

If sharesniffing becomes widespread, I'd expect to see people running "honeypot" share-simulating clients and/or automated "log all probes and report to abuse after 10 probes from any single netblock within a 7-day period" tools.

It *is* illegal

[KidSock]

Rogers also points out that ShareSniffer only locates open shares, it doesn't access them.

This is not true. The only way to determine if the share can be connected to without a password is to try the SMB_COM_SESSION_SETUP_ANDX message with a null password which transpires *after* session establishment or other netbios nameservice and session service operations and *after* dialect negotiation. This would be like checking to see if the door on someones house is locked by walking up and turning the knob and opening it a little.

I think that would be considered just as illegal as walking in a looking around.

Funny thing is that Microsoft renamed the Windows networking protocol to the Common Internet FileSystem (CIFS). Perfect :~)

Re:It *is* illegal

[KBRogers]

No. You're not completely wrong, more almost right. ShareSniffer does not do anything that reveals contentent beyond the IP address. It's all done by Windows(tm). ShareSniffer asks Windows how many shared resources at a given IP address. It does not ask for any further information. All it can currently tell you is that there are, for instance, zero shares available at 0.0.0.0. Everything is handed to Windows. ShareSniffer does not perform any magic in itself except communicate it's desire for a share count to your local Windows. In turn, your local Windows returns the number of available shares at an IP address. If the number is greater than zero, that IP address is considered "shared". When you use your local Windows to navigate the IP address (which is required - because ShareSniffer will not navigate an IP address), your local Windows tries to communicate with the IP address and will force you to use Windows security. In essence, if the share is passworded, you have to know it to get access to it. Still, ShareSniffer doesn't even know if the IP addresses it marks as shared are passworded or not. It just knows they are shared.

Kerry B. Rogers
ShareSniffer Author
kbrogers@sharesniffer.com

Re:I'm sorry that does not pass the giggle test

[BeBoxer]

Actually, this is a very poor analogy. If you like bikes, here is a better one.

In Amsterdamn, they had a system of white bicycles. There weren't owned by anybody. The idea was that if you needed to go somewhere, you would just hop on the nearest white bike, ride it to your destination, and leave it for the next person. Your analogy should be:

Suppose you had a bike, painted it white, and left it outside in a bike rack unlocked with a bunch of other white bikes. Could you then bitch when someone "steals" your white bike? That's what people are doing when they say you can't access open shares. Open shares are not like "[leaving] his bike out on the driveway unlocked". It is actually marking the bike in such a way that anybody who comes along a looks at it (via scanning) will see that the bike is marked as being free to use. By your analogy, every access to a publicly available web or FTP server is like stealing some poor kids bike off of their driveway.

Re:We have to respond to this

[Xofer+D]

*MY* objection to ShareSniffer is: What if I WANT to share my files...but not to ShareSniffer users? To be good netizens (not their purpose, I know) they should really have invented their own protocol.

In that case, you set a password on the share, and give the password to those people who should be able to access the share.

Re:This is just silly

[Hard_Code]

"A better analogy would be if I had a sign on my door"

Well, there is no way to put a "sign on your door". Either your shares are world-readable, or they are not readable at all (at least if you are using default windows sharing, and are not part of an NT domain, etc. Most home users aren't of course). It *is* more like just leaving your door open. Maybe you don't care who comes in, or maybe you just intend to leave it open for a certain person...but in most cases I'd expect someone to be hesitant to just waltzing in. This has *nothing* to do with theft. You can read my diary and it is not theft - that doesn't mean I wanted you to read it!

So:

1) Windows has crappy file sharing mechanism
2) ShareSniffer is at best an unscrupulous company jumping on the P2P hype bandwagon. You can *already* do what ShareSniffer claims (P2P) by using public WINS servers.

Re:Ethics vs. Laws

[BlueFrog]

Legally, this all boils down to one question: Is leaving a file share set up with no password equivalent to (a) leaving your front door unlocked so friends can come on in, or (b) leaving your front door open with a "come on in" sign so anybody can come in?

This distinction is based on two things:

1. How knowledgeable/experienced is the user sharing his files?
2. How protective are we going to be of that user?

It's simply not reasonable to expect that every home user in the world will keep up with security. (MS|GNU/Linux|Be) has given them an incredibly powerful tool, and they're going to use it to get where they want to go. Worrying about the more subtle (or not-so-subtle) effects of their choices is just not going to occur to them, nor should it. Serious network security is outside the scope of a home system/office. No one has the time to worry about network security and get any real work done.

Protecting these people is a good idea--sort of a 'forgive them, for they know not what they do' approach. But putting that notion into any official form is a mistake, little better than the MPA thinking their DVD's are secure simply because the DMCA makes it illegal to crack them. You'd still have people getting hacked, and they'd still whine that they didn't know any better. And they'd be right.

The only real solution to this is for people to learn to use their machines, but we all know that's not going to happen. The next best thing is for operating systems to install some intelligently-configured firewall/security software by default, and for the networking software (in this case MS, but this applies to all OS's) to eliminate/minimize such glaring holes.

Re:Great!

[bbuda]

Wow. I didn't know people on /. still bought up trolls like batteries on Dec 31, 1999.

Re:We have to respond to this

[ethereal]

That's not a troll, though, it's just not a very good rebuttal of a previous post. You have to distinguish between posts which just didn't happen to make a good argument, and posts which were deliberately trying to set off an argument. The former is "overrated" at worst, the latter is "troll" or "flamebait".

I didn't see anything wrong with the comment myself, although I wouldn't have moderated it up either.

I've also seen good posts marked as trolls recently. I think there may have been some moderation abuse going on for the past week or two.

Re:Might work...

[PieceMaker]

In the house, if there is a VCR and I take it, then the original owner has lost all use of it. What if I came in and *cloned* the VCR, so the original owner still had his fully functional unit, but now I jad one just like it?

Playing devil's advocate...

What if I am online using my sucky modem to access the internet when you attempt to clone my MP3s? At that point I would be losing my use of my bandwidth. Or say I have a cable modem and am playing Quake3 online when you initiate the cloning: my framerate starts to take a big hit; I am losing bandwidth here too.

Also, if anyone thinks they would use this access to store large files, then the cloning defense is totally out. At that point, if you use my share as a file repository, I am losing the use of a portion of my HD.

Of course, you're last comment is the best one. Don't provide an open share -- password-protect it.

Re:We have to respond to this

[nmx]

My roomate installed Mandrake recently, which uses CUPS for printing. The other night, all of a sudden, someone else's homework started printing on his printer. He insisted that he hadn't set up Samba yet, so it made no sense that someone else could be using his printer.

It turns out that the kid's name was on the printout, so we looked him up and gave him a call. It turns out that he had just installed Mandrake, and it helpfully searched the entire network and made my roomate's printer his default printer. Not to mention the fact that Mandrake enabled Samba by default on my roommate's machine and shared his printer with the world.

How ridiculous is that? Everyone here uses Mandrake; maybe now they'll listen to me when I tell them what a horrible distro it is.

I Want To Start A P2V Company

[istartedi]

I Want To Start A P2V Company. Will some VC throw lots of money at me? Oh d#!@ it, I'm a year and a half too late.

Re:We have to respond to this

[dirk]

If 'Sally' didn't want anyone and everyone using her read/write share, she shouldn't have left it wide open. It's that simple.

And if Sally didn't everyone to come into her yard and store stuff there, she shouldn't have left access open to anyone. She should have put an unbreakable fence and guard dogs. But it doesn't work that way. In the "real world", access is something that is given, and it is assumed that if you have not been given access that you should have none. Why should we make special rules for the digital world? Unless you are given access, you have no right to be there.

Re:goodie!

[TheCarp]

> Where do you get the 'come on in' sign with
> file shares?

Where it says "Publically accessable" (or equivalent, whatever it actually says that means this - I havn't actually used the tool or even windows in a LONG time).

Unlike locks on doors at peopls homes, these can have passwords, and other access control mechanisms, that are much easier to control than home keys.

Unlike at your home, where there are often reasons to temporarily unlock a door, there are NO good reasons to leave a share "unlocked" except to allow general public access.

Since there is no place to hang a "Come on in" sign (unlike in the physical world on he front of your house) the "publically accessable" configuration must be assumed to mean that it is meant for public access.

Either that or we assume that people are incompetent by default and every public share is a mistake (which is not the case, there are certainly intentional public shares put out by competent people)

-Steve

Re:I'm sorry that does not pass the giggle test

[lingsb]

"But, in the absence of evidence to the contrary, it seems safe to assume that when somebody has taken positive action to run a filesharing service available to the world they meant for the public to be able to access it."

If people want to share their MP3s via SMB, why don't they call their share "SHARE_SNIFFER" or something similar, so that people KNOW that they have been given implicit permission to access that share.

At my uni, there's part of the computing rules that say we're not allowed to access a computer system unless we've been given explicit or implicit permission. Explicit permission being something like having an account on that computer, eg. my account on slashdot:

"explicit permission is the process of an authorising person allowing another person to use an IT facility for a defined period. It will normally involve the assignment of a username and password for the purpose in question."

Implicit permission is things like anon ftp, or computers in libraries, etc:

"Examples of implicit authorisation include IT facilities that are advertised by the University as being freely available, e.g. currently the library OPAC, or usernames on password-protected systems for which the password is openly published."

By naming your share "SHARE_SNIFFER" or whatever, people can take that as implicit authorisation. I don't think you can take the existence of an open SMB share as implicit authorisation because, as people have mentioned, it can be done without the sharer realising what they are doing.

This would be the equivalent of putting your bicycle out in front of your house with a sign saying "Free to a good home" or "feel free to take a spin on this".

Re:We have to respond to this

[flink]

I haven't tried this in a while, but... If in Win98 you have "client for MS networks" bound to a dial-up adapter and enable file sharing, it will warn you that you may be sharing files with the internet.

I don't know how you could protect users with broadband connections. I suppose one solution would be to only enable file sharing over NetBEUI by default, since it isn't routable. It still wouldn't protect cable modem users from other users on the same segment, however.

Scour.Net used to do this

[alanjstr]

This sounds exactly how Scour worked. In order to prevent your pc being spidered, you had to have a robots.txt file. Just because its shared doesn't mean its legal in the first place.

Re:I'm sorry that does not pass the giggle test

[TheCarp]

Whether its illegal or not ONLY matter is you are caught doing it. Until you are aprehended by law enforcement, and brought (usually against your will) into a court, then law means absolutly nothing - its just words on a paper.

Thinsg like a persons attachment to things does matter. It is moral and ethical considerations, the stuff that law is suposed to be based on that matters, not the law.

-Steve

Ugh, definitely not cool

[Fervent]

OK, this is definitely not cool. I always knew MS left open shares, but this will certainly bring the problem to more light.

My question, though, and one I will be actively investigating: how does this affect Windows 2000 machines. I know there are "administration" shares set up (default hidden shares like C$), but I believe... don't quote me on this... that you need a password to view them. Just the same, I'm going to have to read this Ars Technica article in depth on how to secure my Windows 2000 box fully (I've followed most of the instructions, but I never removed the shares). I suggest any of you with Windows 2000 to do the same as well.

And I still have to secure my RedHat side of the box. *sigh*

Re:I'm glad someone finally did this

[spoon42]

Windows file sharing is so fucking stupid -- why on earth would they set it up so the default share is "all users: full access"???

Whatever the default setting is really isn't important. From my experience helping friends with this and browsing random people's C drives on the network, the problem is that despite Microsoft's continuous touting of Windows' user-friendly interface, the file sharing properties is one of the less intuitive ones in the whole OS despite its criticality. In Win95 anyway, there's 3 options: RO, full access, and "depends on password", which then has 2 blanks. Time after time, people pick the last and enter a password for read access, leaving the full access password blank. (and some then go ahead and share their entire drive with R/W access. heh.) I don't even recall seeing a "Help" button in the box, confusing as this is for the "average Windows user". Basically, Microsoft fucked up, the weakness is exploited, and their users get screwed. Not like that hasn't happened before.

(And if that weren't enough, recently a bigger hole was found in Windows file sharing. Check around SecurityFocus. It's something like if you tell Windows to only check the first n characters of the password you give it, it will happily oblige. So modify your smbclient to brute force all 26 or so possible first characters of the password, and *boom*. or more accurately, *crack*. gah.)

Re:This is just silly

[Sc00ter]

the read aloud thing was that the book didn't come with the ability to read itself aloud for deaf people. Not that you couldn't read it aloud to kids. See the original slashdot story, they posted an update.
--

Re:This is just silly

[twitter]

No. A better analogy would be if I had a sign on my door, meant for a visting friend, which said "Come on in and have a beer". If a stranger sees it and comes in and helps himself to a cold one, has he done anything morally or legally wrong?

Nothing wrong with drinking a beer, but I'd be pissed off if he took my stereo or raped my wife. Not to equate mp3 file copying with, rape or theft, but it is wrong to load someone's hard disk with crap without their consent when that crap might bring cease and desist letters down on their heads.

Think! You know where you belong, and you know what you own. Walking into a stranger's house is a very ballsy thing to do. Here in Louissiana you can be legally shot doing that. Sneaking Britany Spears onto someone else's hard disk is not nice. An open door is not an excuse for abuse.

Re:I'm glad someone finally did this

[Ben+Hutchings]

Also, it would be better if the NETBEUI protocol used to access these shares were not bound to the dial-up adapter (i.e. modem). Unfortunately, all protocols are bound to all devices by default.

That's NetBIOS, not NetBEUI. NetBEUI is a lower-level protocol that you could use instead of TCP/IP; since ISPs only deal with TCP/IP they won't ever send you NetBEUI packets.

Re:I'm glad someone finally did this

[emrys79]

I don't know why people think that file shares are setup as default. I have been using Windows 9x since 1997, and have done tech support in a mixed Windows/Mac environment (i.e. university residence halls). File shares in Win9x are not setup by default. And when you go to share a file, the default is "Read-Only", not "full access". Also, you have to enable the file-sharing protocol before you can share any files. It is safe to say that if someone has shared a drive, they have done it intentionally (except perhaps in cases where an OEM has setup the computer to share drives, or something like @home turning sharing on and sharing specific drives, but that is a slightly different issue). Now, why people would leave a drive shared with write-permission and no password, that's another story.

Re:I'm sorry that does not pass the giggle test

[TheCarp]

Generally I agree that most anaologies are bad, even the one i gave was sub-optimal.

I think the mistake though is not in the use of anaologies, but in adherence to them. Anaologies are good for illustrating a point, however, it must be realised that any analogy will break down at some point - sometimes thats important - sometimes it isn't.

As I was trying to say, this tool is just a method for looking around and seeing what others have made available to you.

-Steve

Re:you wouldn't believe

[Account+Number+Three]

It may have been once upon a time; however, my @home CD turns off all sharing by default.

Re:Lawyers don't trump AUP

[dancingmad]

How many people that have shared folders are going to understand IP addresses?

Good premise

[Lord+Kano]

After all, in order for someone to make a legal complaint they'd have to stand up in court and say "Yes, I'm an idiot. After I installed windows, I turned on access to my hard drives. No sir, I turned it on because I didn't want anybody to use it.

LK

This might be exactly what P2P needs

[edibleplastic]

Perhaps this tool is what will help the whole peer-2-peer idea gain legality. This tool is technically not doing anything that people couldn't do themselves. If i'm on a windows networking subnet, I can see all the shares just by going to network neighborhood, and if I wasn't on a subnet, I'd just do \\xxx.xx.xxx.xxx and see what they have. The key element in this situation is the Windows Networking, because that is what is allowing everybody to share files in the first place.

The whole situation is akin to webservers and search engines. Webservers serve content, and search engines allow you to find the content. Once you have the link however, it is the webserver software that allows you to access the content, not the search engine. One might say that the difference is that the majority of websites are put up specifically so that other people can download, while sharing is not for internet-wide public sharing. This is true, but not relavent--google catalogues all sorts of webservers/pages that their owners don't want other people to find. (for an example check out their "secret server" faq). In this case, the Sharesniffer software is not involved at all in the file transfer, which is a very different situation from Napster.

Anyway, the reason this might be the turning point for p2p is because for years, millions of mp3s and other files have been illegally copied on college networks, with the full knowledge of the RIAA/MPAA. Windows Networking (and whatever small percentage of Linux Samba that exists on campuses) has been facilitating file transfers and literally nothing has been done about it. If anybody wants to challenge Sharesniffer, they're going to have to tackle windows networking, and Microsoft is not necessarily going to just give in to RIAA/MPAA. Windows networking is too valuable of an asset to the OS to simply give it up. And this may be the first time that Microsoft's lawyers and money may benefit the little people -- they may be the only company who can successfully stand up the RIAA/MPAA.

Re:We have to respond to this

[TheCarp]

What problem?

Maybe they really did do it on purpose? I know when _I_ was at scool I opened a share on my Windows box (for the short time that I ran windows) and made it open to everyone - with full intention that people would use it!

Your idea just sounds like it would be another annoyance. Now I open my share to the public and start getting a few emails from random people all the time saying "BTW you have an open share, you probably don't want that" every few days...fun.

As if I don't get enough random emails from people who see old mailing list messages or my old web pages (that i can't update or delete anymore) and ask me stupid questions.

Im certainly glad I don't run a windows box with an open share anymore.

-Steve

Funny thought ..

[kd5biv]

Just imagine the possibilities for "deliberate* file trapping though. Set up a honeypot machine that looks like it's being run by a clueless user who doesn't know a share is set up on it.

But the share copies to a non-public directory and logs the transfer including source IP address, resolved rDNS address, and timestamp. Present that to the hapless cracker's ISP as evidence they've violated their TOS and watch their account evaporate .. not only that, but you get to keep the files. Hey, if a burglar breaks in and gets chased off by your dog, you get to keep his tools, right? ;-)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:This is just silly

[Sc00ter]

Here's the link

http://slashdot.org/yro/00/12/14/1515228.shtml
--

tell it to the judge...

[laslo2]

if someone drops 2 ounces of pot in your car, and you get pulled over after dropping them off at the 7-11, who gets busted? *you*. it's *your* car, and *you're* the only one in it.

same thing happens if the local police department finds 30gig of child porn/mp3's/warez on your windows share, that "someone else put there". you're busted.

my hacker side says yes, it would be great to take all those bits of unused space on people's drives and put it to good use. but I'm not going to jail for someone else's files.

Re:Might work...

[swv3752]

Actually, file sharing is more apt to just a simple open door. There is no sign come on in.
You share a folder, you ahve to purposefully do so. You leave your front door, you have to purposefully do so. You might have good reasons to do so, you might have to move something big, or you want some cross ventilation or whatever. My open door is not an invitation for you to come enter my house.
If I leave my door open and leave for the day, the law has a special classification for that, "Attractive Nuisance (sp?)". If some kid comes along, enters my house, and cuts off his hand playing with my power tools, I will be held liable. I shouldn't have left the door open, even though the kid shouldn't have trespassed. The same thing should be the case with people having open shares on the internet. However this tool is clearly illegal. It would be like me driving around looking for open doors, and leaving the addresses for any interested party.

legal vs. moral vs. ...

[zenbo]

"So when you click "Share This Folder," whether you understand its implications or not, you've authorized the world to play with your drive, and have no right to complain."

Excuse me? So if someone nukes your hard drive because you don't understand the implications of your actions (hey, you shared it read/write, right?) that's morally justifiable and furthermore something that's fine to base a business on?

And I suppose when you install linux with a vulnerable version of statd and someone breaks into your system that's fine too, because you chose to install it?

I guess this means that all abuses of other people's computers are not problematic, because the owner of the system knew the risk of being on the Internet - e.g. no software is perfect and 100% secure - when they connected. Actually, it doesn't even matter if the owner did know, they should have.

Cracking for Dummies...

[cavemanf16]

Ahh, that makes virus distributing so EASY! Dangit, now I'll have to find a better, faster way to distribute viruses.

Disclaimer for Dummies: In no way do I distribute or condone computer virus cracking. The above was an attempt at humor, and should I be picked up by Big Brother ECHELON, realize the above as such.

And if you still don't get it: I AM KIDDING! Making jest, being silly, tickling the funny bone, etc.

Re:Cracking for Dummies...

[ellem]

Just post annonymously next time.

No one is going to mod this up...

---

Re:We have to respond to this

[ichimunki]

While I may agree that using a Windows share is wrong if you don't have some sort of consent from the share owner (either implied or explicit) I don't think we need faulty analogies to unsecured outbuildings to debate.

On the other hand, I'm a little tired of Mr. and Mrs. Average American expecting their PCs to be as easy to use as a lamp or a handgun. Today's home PC is more powerful than a mainframe was just 30 years ago. Apple sells a "supercomputer" in a seven inch plastic box!

As such, people should consider getting a little training in the computing, and security would be a part of any such training. Having Windows at work is no substitute for real computer training, since at home there won't be any rigid information security policies or professional admins to back up hapless users who go turning on every potential security hole because it sounds neat.

Most of the people I run into with computer questions don't even seem to know how to press F1 for help. They have no intrinsic understanding of why there is a problem, because other than the pretty windows on the screen they have little idea what is actually happening inside their machine. There's an awful lot of computer in the average home these days, run by completely clueless people. If their open share gets used as it was designed to be used, let's just call it part of the learning process. This doesn't do anything the protocol wasn't designed to do-- share files from a specified directory.

Its (1) a crime and (ii) not a decent substitute

[werdna]

There is much risk in this for the person taking the data. Most states have enacted felony statutes which precisely cater to this issue -- the taking of data from a computer system without being granted express permission to do so. While it may well be arguable that leaving a door open makes entry and taking of possessions a consented non-trespass, that isn't the law in any state of the Union. Whether or not the same rules would apply to the computer trespass statutes is something you would test at your own risk of life, limb and liberty.

Further, the scheme as described is useless as a substitute for Napster -- there would be no centralized index facilitating that distribution. Napster wasn't liable for the copying that took place -- it was liable for its contribution in facilitating the same as a result of uploading and maintaining dynamic index information (Contributory Infringement).

Re:goodie!

[ADRA]

First point, The analogy is sane. If you leave your door unlocked, you are still "actively" leaving it unlocked, so the results are the same.

By default, SMB packets are not routed ouside of one's subnet. This means that if someone wants access to your SMB shares, they would have to initiate the connection with your computer to check if you have SMB active. It is like having a robber turning your door handles to see if they are unlocked.

Second, if you live within a gated community and you leave your door wide open with a sign saying "Door wide open", you wouldn't expect someone from the outside the neighborhood on openning your door. Before I get flamed, note that nobody but the people inside the neighborhood can see that the door is open.

This applies to the "Workgroup" principle of windows. The common user should not have to expect joe internet access into their SMB network.



Thus Spake ADRA

interesting story regarding windows shares

[Yablo]

i dunno if i agree with this or not, but i have an interesting story regarding windows shares: i met my girlfriend through one.

first off, i am a college student. my best friend lives in a dorm different from me, but we manage. one day i showed him how to poke around the local windows network and get into people's mp3s/pr0n/movies. he thought this was insanely cool.

one day, he left me a message saying that he had gotten into some girl's share, and she had her whole hard drive shared up. rather than fuck her over by nuking a few choice files, he found her AOL IM id in /windows/aim95/usernamexxx. he added her to his list, and told her that her whole computer was shared and anyone had access to it, but he didn't know how to get rid of the sharing.

he called me over to her place, she and i finally met, and i showed her how to disable sharing.

yeah... that was how i met my girlfriend...

Re:Might work...

[roystgnr]

"The person who has, through no knowledge of his own, left file sharing 'on' with no protection, that is the electronic equivalent of leaving your door unlocked," says Rasch. "You can't with any degree of certainly say it is an invitation to enter... Therefore when you enter through an open file share, that's likely an unauthorized access."

So does the same reasoning apply to read-only passwordless access? When I pull up a random web page, it's rarely because I've received a written invitation from their webmaster to do so; it's because there is no password restricting my access to the page!

Entering, instead of Breaking and Entering

[coyote-san]

Don't these guys watch Law and Order?

If you break into a locked house, it's breaking and entering.

If you enter an unlocked house, without permission, it's entering. Still a crime. The fact that you left the door open is not "permission," not even implicitly. The fact that someone left his computer in its default configuration is sure as hell not permission. Someone specifically enabling sharing for their home-based network is a bit more debatable, but I still doubt it would take any reasonable person more than a few seconds to decide that it's not permission for everyone to enter.

If you take stuff without permission it's theft, even if the person didn't know he/she possessed the item. It's theft even if all you do is copy the papers on the desk.

Even leaving something in the house is a crime. Littering, if nothing else.

Finally, even if all they do is tell their friends where to find open doors, if they do that in the expectation that their friends will commit crimes (entering, theft, etc.), then they're still party to a conspiracy.

Re:Entering, instead of Breaking and Entering

[nugatory]

The fact is, all these 'opening the door' and 'entering the yard' metaphors are just WRONG. The laws of the physical world do not apply to the digital world or the internet by default. If they did, every person visiting a web link would be 'entering' (but not 'breaking and entering' right?) as well as guilty of theivery for copying the content of the site to their local browser.

On the contrary.... The metaphor works just fine. Following a web link isn't breaking and entering because the follower of the link is invited. There are some questions about what constitutes an invitation, but that doesn't affect the validity of the principle. Most of the criminal law relating to theft, breaking and entering and other property crimes comes down to saying that you shouldn't do things to other people's property that they don't want you to do - and that principle works just as well in the digital world as the physical world. This shouldn't be surprising, since the digital world is built out of physical computers that do have owners.

How is storing files on my hard drive because I screwed up my firewall settings any different than camping out in my basement because the lock on the basement door won't hold in wet weather?

Re:Entering, instead of Breaking and Entering

[Ronin+X]

My point is that the metaphors don't hold water because they're subjective and easily manipulated. I could easily take your metaphor:

How is storing files on my hard drive because I screwed up my firewall settings any different than camping out in my basement because the lock on the basement door won't hold in wet weather?

And use the same logic to make the opposite point: How is accessing my web page page any different than coming through my unlocked door and photocopying documents left out on my desk?

On the internet you can't necessarily assume the intent of the person using the resource is theivery, nor can you assume that a shared resource is some kind of misconfiguration or user error.

Re:Entering, instead of Breaking and Entering

[Ronin+X]

Wow. Your knowledge of television crime drama is impressive, but completely immaterial and on the verge of being offtopic.

The fact that someone left his computer in its default configuration is sure as hell not permission.

*Sigh* It is NOT a default state to share out a directory or drive. It must be chosen and enabled.

Some people seem to be making the argument that ignorance is some kind of legal protection. How far does that extend? "I put the car in neutral and didn't apply the parking brake, but how was I supposed to know it would roll down hill and kill someone? The car didn't give me any kind of warning at all!"

The fact is, all these 'opening the door' and 'entering the yard' metaphors are just WRONG. The laws of the physical world do not apply to the digital world or the internet by default. If they did, every person visiting a web link would be 'entering' (but not 'breaking and entering' right?) as well as guilty of theivery for copying the content of the site to their local browser.

Re:Entering, instead of Breaking and Entering

[nugatory]

And use the same logic to make the opposite point: How is accessing my web page page any different than coming through my unlocked door and photocopying documents left out on my desk?
On the internet you can't necessarily assume the intent of the person using the resource is theivery, nor can you assume that a shared resource is some kind of misconfiguration or user error.

Yes, and outside of the internet you can't assume that the person entering through your unlocked door wasn't actually trying to track down and exterminate a mouse infected with a mutant hantavirus strain, or didn't have some other altogether legitimate purpose that exceeds even the fertile imagination of /ers.

This technique of making internally consistent but bogus arguments (bogus because the arguer doesn't really believe them himself, but has labored long to ensure their internal consistency) works just as well outside the internet as inside.

So I still don't see why the problem is fundamentally different on the net. Off the net, it's more or less illegal to mess with your neighbor's property in ways that he wouldn't like. Off the net, it's possible to construct all sorts of interesting and logical arguments for why it was OK for you to mess with neighbor's property. Off the net, if a jury of your peers would giggle at these arguments, so will a court of law.

What's different if you use the internet to mess with your neighbor's property? Well, it's likely that it's harder to assemble a jury of your peers, but that's just an implementation difficulty, it's not a fundamental difference. And if we did assemble such a jury, how do we think they would react to an argument that you believed, really believed that Joe Clueless meant to share his C: drive? ROTFLMAO.

Re:Entering, instead of Breaking and Entering

[Ronin+X]

And if we did assemble such a jury, how do we think they would react to an argument that you believed, really believed that Joe Clueless meant to share his C: drive? ROTFLMAO.

Poor Joe Clueless, helpless victim. Poor Joe is also in court because he left the gate to his new pool open and a kid played in it and drowned. How was he supposed to know?

The point is that people should be resposible for their actions. You don't go weaving around on the highway without knowing how to operate a vehicle, yet with a computer, people who can't program the clock on a VCR feel they can 'plug-and-play'.

Re:Entering, instead of Breaking and Entering

[GMontag451]

The fact that someone left his computer in its default configuration is sure as hell not permission.

File sharing is NOT on by default. You have to explicitly turn it on. If you want to turn it on for a specified group of people, have a password. Leaving world access is an open invitation.

If you take stuff without permission it's theft, even if the person didn't know he/she possessed the item. It's theft even if all you do is copy the papers on the desk.

Copying papers on a desk is not theft. It may be espionage if it was without permission. But again, putting world read rights on something is giving permission.

Even leaving something in the house is a crime. Littering, if nothing else. Littering only applies to a publicly owned place, such as a park or sidewalk. And leaving something in a house with permission is not a crime. Giving world write rights to something is giving permission.

Re:I'm sorry that does not pass the giggle test

[nugatory]

Well... to use a physical analogy...
If you leave the door to your house wide open, then you can't charge a person with breaking and entering.

Oh yes you can.

Entering a house uninvited through an unlocked door is breaking and entering in the United States and most if not all countries that derive their law from any Western European tradition.

This isn't even such a bad way for the law to work. The practical effect is that it's just as illegal to break into an easy target as a hard target. And that's as it should be - if softness of the target could be a defense, it wouldn't be as serious of a crime to break into a house that had windows as one that didn't. Bear in mind that the lock on the door of most American suburban houses wouldn't keep out a moderately determined wolfcub with a bent hairpin. It's just there to remind the wolfcubs that they aren't supposed to be breaking in.

Re:We have to respond to this

[aphr0]

What do you suggest people do? Take a week our of their lives to read a 400 page manual and work through the intricacies of installing and setting up unix/linux and spend another few weeks learning the subtleties of securing said system? Most people don't enjoy spending time learning about computers and tinkering with them. On the PC side, Windows is the best thing there is for those users. Be doesn't have the application (ie. MS Office) or hardware support to be viable.

Robert Morris is a hacker, Bill Gates is a business man. Big difference.

Re:Might work...

[nugatory]

I don't think this would hold up in court.
[snip]
If I come along and discover a public share, I can only assume that the person *meant* to share it.

I think you have confused what lawyers do, which is to make elaborately reasoned and internally consistent arguments for a particular point of view, with what the courts do, which is to decide which of these arguments should be taken seriously.

The law is pretty clear (I oversimplify a bit, but not in a way that affects the argument) about saying that you generally shouldn't mess with other people's property, especially when you know that they wouldn't want you to. So you and your lawyer can argue that "I can only assume..." and the other side's lawyer can argue that you actually assumed something else. But the court has to decide which of these two arguments wins. If it's a criminal case, it will decide by asking a jury of your peers (it may not be practical to empanel such a jury, but that's still the applicable principle).

OK. Think about a jury of individuals you would consider your peers. Think about trying that "I can only assume..." argument out on them. Do you really believe that a jury of your peers is ready to buy an argument that Joe Clueless meant to share his C: drive?

The original title of this thread said somthing about not passing the giggle test, and that seems to say it all.

On computer networks, permissions express intent.

[Ungrounded+Lightning]

You can't get up and say that this tool does not break into people's system, the users do.

That's not the point.

On computer networks (in the absense of a STANDARDIZED publication of a declaration of a well-known excpetion) the permission system settings are normally considered the expression of the INTENT of the person who set them.

The only well-recognized exceptions I can think of at the moment are:
- Copyright notices on published text.
- Certain prohibitions (by custom and/or statute) on use of administrator privileges to snoop.
- The mechanism for restricting search engines from indexing certain pages (such as dynamic or proprietary site content).

Changing the permissions on a portion of their files so that the world can read and write them could be an expression of intent that they do so, or could be an error. This difference in intent is indistinguishable externally. So if another user takes advantage of the explicit permission change to do exactly what it allows, one must assume he is acting with the permission of the resource's owner unless he has been explicitly informed otherwise.

Further, when you're dealing with laws that ban an activity, any ambiguity in the law must (according to US jurisprudence) be resolved in favor of the person accused of wrongdoing and the lesser restriction.

This is true even if the BULK of the sites with open permissions in fact are, and can be expected to be, the result of user error. (I won't go into the reasons in more depth here.)

Given that using an open file system is legal by the above arguments, a tool to find such legal-to-use resources can not itself be a violation of law.

A related issue: There's been a lot of legislation lately directed at people who break into systems to misuse them, and this has resulted in prosecutions of people, especially juveniles (or chronological adults with arrested development B-) ) who were just exploring. But I have yet to see the doctrine of "attractive nuisance" applied to computer systems set up with inadequate attention to security.

Re:Again...yes and no

[tchuladdiass]

It can also be said that the only reason for running anon ftp or http is to share files to the world. However, there are reasons for shareing your hard drive/folder other than for world access. I.e., if a user had a home network before getting a cable modem/dsl, and shared a desktop drive for access from a laptop, then a year later got cable modem, forgetting that there were open shares....

Re:We have to respond to this

[TheTomcat]

I knew someone would post this analogy, and it's just not applicable.

Sally had to ACTIVELY set up this share in windows.

NOT putting up a fence is passive.

Not even the same ballpark.

Some chlorine for the computer-user gene pool

[RollingThunder]

or, Practical Darwinism... take your pick. :)

Seriously, I view this program as a net Good Thing (I'm not going to comment on the business model). This will bring unsecured file shares to more prominent attention, at the expense of some Clueless Users, and hopefully will finally result in this crap getting cleaned up.

Just the other week, some putz on tribalwar blamed "those damn hackers" when somebody plunked a virus/script into his open read/write C share, resulting in a "ALL YOUR COMPUTER ARE BELONG TO US". Sorry, bud, you done screwed up first.

Regarding @home users - in my area (Vancouver, BC), they blocked that port YEARS ago. Pissed me off, too - I was foolishly using it for home to work transfers. I take from the comments this isn't standard among all the various regional @homes?

Re:We have to [stop] respond[ing] to this [post!!]

[johnnie]

argh.

ok, i have attempted to read the comments following this here post, and i have failed. too much bandying about of half-assed metaphor and trolling and whining and calling of names.

so, i wanted to get in on the fun too.

first of all, let's please quit with the "stupid moron LoseBlowzeME luser" crap. it's infantile at best. (correct, perhaps, but infantile.)

my Dumb Metaphor Of The Day:
i do not know how to drive a car in a safe, responsible manner. for that matter i do not know how to drive one at all. i tried to use a ride-on mower once and made the front page of the Boston Globe. it's scary.
so, i bought this nice, shiny new car. it has a *ahem* automatic transmission so, i don't need to know how to _really_ drive, now do i?
i take this death-machine and wrap it around a telephone pole, because i did not know how to operate it. noone got hurt, but i take out a neighborhood's power and fone for a few hours. who's fault is this? the guy who put the phone pole there? the guy who sold some no-license-having doofus a car? ESR? RMS? or, just maybe it was the guy using a tool he does not understand. it irks me to no end to see someone doing anything they don't know about without some assistance. f'r crap's sake, you can't even use a hammer effectively and safely if you do not know how!

blah. anyway, we're not changing anything by carping about it here. go outside.

notes: msuzio kinda has a point. also, automatic trannies are for sexless freaks that belong in the same phylum with nematodes. i need one coffee, one beer, and a better job.

This sounds legal

[quinto2000]

IANAL, but according to NYS law, you cannot prosecute for computer trespass unless there is a barrier that was broken by the intruder to access your computer. This is a key element to the crime. With no password, you really are screwing yourself.

Re:shares

[red_dragon]

Somebody put up us the shares.

This is a GOOD THING!

[baptiste]

Hey - before you click TROLL - read on.

This program and effort is a good thing. If it gets even 10% of the stupid users out there to turn off sharing or protect it or even better invest in a firewall - all the better. Do you work at an ISP? Run a script to scan this newsgroup for IPs in your block - bam - you've got other people doing part of your job. Just alert the IP owner that they have an unsecure share and should close it.

Even more to the point - how can you say this is even remotely illegal? The unlocked home door analogy is close - makes you automatically say - illegal. But what about leave the blinds open while you and your significant get busy? If the creep is outside your window peeping in - trespassing, it is illegal (though you should be smacked for complaining if you leave the blinds open.) BUt lets say, for example, the crep is across the street with binoculars? Same line of thinking is police scanning yoru home from far away for EXTERNAL heat signatures - murky yes, but again - if the image, signature, visual, data can be received from a location OFF YOUR PROPERTY, I'd venture to say it is legal. Its up to you to protect your privacy. If you close your blinds at night - you should make sure your shares are closed or protected. Otherwise if someone wants to peer in - you shouldn't be able to complain.

Heck - a friend of mine - who is a network engineer, didn't realize he had inadvertanty left an anon FTP server running on his box (behind a firewall, etc) He likes to FTP into his server (yes not mega secure but still) but didn't realize he left anon enabled.

That is until someone started sticking files onto his ftp space. He promptly closed it - nuf said. He didn't scream, try to sue. He just fixed HIS MISTAKE and moved on.

If you leave your PC open and freely accessible to the internet - its fair game. Maybe this software will smarten up some folks and the others will provide free disk space to the rest of us ;)

--

Re:Might work...

[cavemanf16]

"whoops, I didn't know it was shared"
Brings to mind a song...

"Oops, I did it again,
I shared my network,
and now I've got a computer transmitted disease,
it's called a virus
and it's all Win-dooowwwss fault!"

Re:goodie!

[TheCarp]

I kind of think of it as walkign around in a place where the lighting isn't that good.

This software is like a flashlight, you point it at the building your in front of, and it sends abeam of light (or in this case a few packets) that bounce back and tells you that somethings there.

Then it filters this information for you and shows you all of the places that have doors open and signs next to the door that say "Come on in".

At the very least, this exposes people who don't know what they are doing. This is a good thing, because it will cause their files to be messed with, which is bad, but will provide them with information - namely that they are exposed and they should fix this.

In the long run, I think it will be a very good thing for Windows users.

-Steve

Re:I'm sorry that does not pass the giggle test

[GMontag451]

AppleTalk (at that time) defaulted to sharing the local filesystem across the network, without security

Its AppleShare, not AppleTalk that shares files, and it has never come default on.

Re:you wouldn't believe

[Fishstick]

Similar experience. Ten minutes after the @home guy was done 'installing' the software on my supposed desktop machine (I had pulled a p166 out of the closet and installed 'doze and pointed the technician at it "where's yer 'puter?"), I had my masq box up and connected to my cable modem and to my internal network. Moments later I had my Debian box pointing to my masq box and I was happily surfing and downloading.

Meanwhile, I was getting ready to wipe the drive from that p166 and was checking out the setup and I noticed that the C drive had been opened up as an unprotected share. I know I didn't do that, I had installed windows only the day before and I hadn't even bothered to install networking, let alone enable file and print sharing and do something as dumb as sharing the whole damn C drive with no password! Scratching my head, I proceeded to put Linux back on the machine and install bind and to go happily about setting up a local name server. I didn't give it another thought. I was in bandwidth/home LAN heaven.

A few weeks later I got an e-mail from @Home screetching at me about 'modifying' my @Home setup, and notifying me that a technician was scheduled to return to my home to restore my setup to the required @Home configuration (read: windows).

Sh*t. Well, what was I going to do? I decided to just let the chips fall where they may. The guy showed up and was atually pretty cool about it. He mumbled something to the effect that it was a stupid policy they had since all you really needed was TCP/IP and DHCP to use their service and giving people a hard time for changing the setup was bullsh*t. He looked at my setup, made a couple notes and then half-smiled as he left.

I never heard another word about it. I have a feeling my paperwork just ended up getting 'lost'.

---

Re:you wouldn't believe

[Foddrick]

On Telstra Bigpond Cable in AU, they've blocked the netbios ports at their routers. No using _MY_ harddrive !

What did her parents say when you explained them..

[Hanno]

...yes, I met your daughter while I was looking for digital porn movies.

------------------

Wait a minute......turn on MY file sharing too????

[Slide100]

If found this the most interesting part of the description of Share Sniffer: "In order to utilize ShareSniffer, it (File and Printer sharing) must be activated on your system. To learn the steps to activate your WFSP, consult the sites linked below." That means I have to turn on my file sharing too! Not bloody likely!

I'm sorry that does not pass the giggle test

[Zachary+Kessin]

You can't get up and say that this tool does not break into people's system, the users do. There seems to be a trend (As in Napster) where a tool is written to do something and they deny that the tool is doing it.

It just does not wash. And boy am I gald I'm running Linux.

Re:I'm sorry that does not pass the giggle test

[pallex]

"Well... to use a physical analogy... "

No! Dont! It doesnt work! "All analogy is fraud" as someone once said. You cant compare copying to stealing, it just doesnt make sense! People have an attachment to their house and property that they just dont have to a bunch of files.

Re:I'm sorry that does not pass the giggle test

[Twisted+Logic]

Yeah, cause it sure wasn't the NRA that started it. Let's blame Napster! Guns don't kill people, people kill people!

Re:I'm sorry that does not pass the giggle test

[pallex]

"If I decide to knock over a bank, whether I did it to feed my kids or support a drug habit wouldn't make it any more or less illegal."

No, but in my eyes it`d certainly make it less immoral if it were robbing a bank or your kids starving. If you`re a drug addict you`re just a loser!

Re:I'm sorry that does not pass the giggle test

[Gwared]

The most obvious problem with this is that Microsoft might well decide that the appropriate convention could be "MS_OPEN_SHARE" even after half the population of the world had started using "SHARE_SNIFFER". You can bet that AOL would similarly name their atandard "AOL_SHARE", and some 1337 bored kid would name his "IF_YOU_CAN_FIND_THIS_ITS_YOURS".

Besides, surely the whole point of the open sharing in the first place was to mark those files as open to everyone? What if someone accidentally labeled their drive "SHARE_SNIFFER" because they saw someone else do it once and thought it was "What was done"?

Re:I'm sorry that does not pass the giggle test

[wmulvihillDxR]

According to the article, (who quoted the CEO of the company), the tools merely FINDS the open-shares. From the article:

Rogers also points out that ShareSniffer only locates open shares, it doesn't access them. The user does that through normal Windows functionality.

Sounds familar.....

Re:I'm sorry that does not pass the giggle test

[memfrob]

For that matter, this tool reminds me of a more limited version of Archie.

With Archie, you could find files on anonymous FTP sites, and you didn't have to verify with each and every site that the server meant to run ftpd and allow anonymous access.

With ShareSniffer, you only find servers; you have to hunt for the files yourself. Should I have to verify that each of them meant to run smb like this?

Re:I'm sorry that does not pass the giggle test

[msuzio]

This isn't analogous to Napster, etc. In those cases, Party A & Party B clearly intended to exchange files. Here, they involve Party C, who never wanted to be at the party in the first place :-).

The tool may be legal, just as Napster should be legal (prosecute users, not vendors). It is hardly moral, since it encourages users to basically commit computer crime that isn't defensible by any "fair-use" doctrine at all.

Re:I'm sorry that does not pass the giggle test

[susano_otter]

Heh. In my previous life, I worked as a receptionist for [major software manufacturer], and they were predominantly Mac-oriented throughout all their offices... AppleTalk (at that time) defaulted to sharing the local filesystem across the network, without security, and without notifying the user.

Thousands of filesystems available to my receptionist's station... I leeched a lot of stuff.

Sure, I could do the same thing now on the Windoze networks I seem to be stuck with, but somehow the thrill is gone (plus, now I do real work, and don't have the time to go snooping around like that).

Re:I'm sorry that does not pass the giggle test

[BeBoxer]

I don't see how you can say that Party C never wanted to be at the party. In order to have an open share, C had to explicity turn that feature on. Now, maybe they didn't understand what they were doing. But, in the absence of evidence to the contrary, it seems safe to assume that when somebody has taken positive action to run a filesharing service available to the world they meant for the public to be able to access it.

Should it be illegal to access an anonymous FTP server? Do I have to get written permission to access an HTTP server? No. The mere fact that someone is running a publicly available server which offers a service to the world without any authentication implies that I can use that service.

If ShareSniffer was some tool for stealing passwords, or hacking into Windows shares by trying to crack the passwords, that would clearly be a tool for assisting hackers. But this isn't the case. Some of the people with open shares may have done it by mistake. But, a lot of them are doing it on purpose. It is a simple way to share files, and it's just as legitimate as running an FTP or HTTP server.

Granted, it might be a good idea for ShareSniffer to put some simple sanity checks in place before reporting shares. For example, it can see if the user has shared their entire hard drive. If they have, it might be a reasonable assumption that that's a mistake which should not be advertised. On the other hand, if only certain folders are being shared, that's probably a legitimate share.

Re:I'm sorry that does not pass the giggle test

[TheCarp]

Well... to use a physical analogy...

If you leave the door to your house wide open, then you can't charge a person with breaking and entering.(Tresspassing sure, but not breaking and entering).

Whats this more like? Well, if you tell your system to share out a peice of your hard drive (be it a "folder" in windows or a volume under coda, or a directory unde rnfs) then you have made something available.

Anyone who queries your machine (which is really no different than looking at your house from the street, analogy wise), then they see this sign sitting there "Shared Space here, come on in".

I am pretty sure that if you had a similar sign on your house, and left the front door open, it would be hard to charge someone with tresspassing.

If someone shares out a drive, and does not impliment access control, then I think it is wholly right that we assume that they know what they are doing and MEAN to do it.

This tool just makes use of the shares that a person has made available. It doesn't "break in", it walks in the open front door and uses the offered resources.

-Steve

WinNT/2K administrative shares

[DHartung]

Correct, Windows 2000 (like NT) has default hidden shares named for the drive, e.g. C$ (where the $ indicates hidden: it won't show up in Explorer as shared). Admin$ is equivalent to the C:\WINNT folder (which may be different, for example, it may be on the D drive, or a reinstallation could have named it C:\WINNT2).

First, these MAY be removed. If you have no need of file sharing (e.g. a standalone PC) this would be recommended above any other security measure. Log in as administrator, right click on the drive, and change the sharing.

Second, the administrative shares are by default set to Full Control for administrators on the domain that was used to authenticate your machine to the network. This is their purpose: to allow human administrators and administrative processes to run unimpeded. You may retain the administrtive share but reduce the access to read-only, again by logging as administrator of the local machine.

If you are not authenticated on the domain, but are simply connected, someone trying to access this share will need to know the administrator password on the local machine (and they themselves will usually need to be logged out of the domain, to avoid a rights conflict, though there are tricks to get around that).

It is possible to lock out Domain Administrators yet still permit local machine administrators, by removing the one group from the other, but in most cases this will one day cause your administrator to pull his hair out.

To reiterate: yes, Win2K has shares by default, but they are only open to authenticated administrators.
----

Hmm. . .That's why. . .

[Salgak1]

. . .on Windoze networks, I always install an additional protocol on top of TCP/IP, and modify the bindings such that file sharing only works on the alternate protocol.

It also works as a brute-force, extremely porous firewall. But lacking security on the filesystem, binding sharing to a non-routable protocol is an acceptable, if not optimal solution....

Re:Hmm. . .That's why. . .

[mbyte]

The problem with this however .. it breaks samba compatiblity ... no smb over something else than TCP is not implemented in samba (yet!)

Re:I'm glad someone finally did this

[DHartung]

Windows file sharing is so fucking stupid -- why on earth would they set it up so the default share is "all users: full access"???

This is not true. The default share setting is read only.

Any reasonable person must infer that Microsoft WANTS people to give their hard drives to the internet at large.

It's more a Very Bad side-effect of oversimplifying security and making it friendly. What happens is that file-sharing is set when you install a network card. For most people this is already installed and ready to go. During Windows installation, the user is asked, "Do you want to give others access to your files?" which is straightforward enough. The problem is that this is a separate activity from setting up internet access, and there is no step during internet access that warns you, "You have given others access to your files, do you really mean that?"

Also, it would be better if the NETBEUI protocol used to access these shares were not bound to the dial-up adapter (i.e. modem). Unfortunately, all protocols are bound to all devices by default.
----

This is the way Scour worked for a long time

[Bonker]

before it got it's Napster-like interface.

Scour, we miss ye...

Re:This is the way Scour worked for a long time

[mjgamble]

Well, mostly. It did basically index the SMB shares in the world, but it certainly didn't promote "customers" from using other peoples' shares for their own storage facility...

Again...yes and no

[JiveDonut]

I'm not saying that running windows means that you are stupid. After all I run it, and I am extremely intelligent. heh.

I am saying, though, that the average Windows user is less security savvy than the average Unix user.

Does the protocol matter?

[zmooc]

Federal law makes it illegal to knowingly obtain unauthorized access to a computer.

That's what the article says, but I don't think this will ever stand; how can I know if I'm authorized to use /.?
I don't see how this could be different for any other protocol; I can access everything that's served over HTTP but cannot access NETBIOS shares? Bullshit! One can never know if something is shared on purpose, but I think it's fair to assume so.

Making this illegal, would definately change the Internet in a not so nice way; suddenly it can be illegal to browse around just a bit because you just cannot know if everything you see is shared on purpose.

Making a difference based on the protocols used is just plain stupid. I don't think this ShareSniffer thing is a good thing, but I sure hope it will not be made illegal.

Re:Might work...

[cavemanf16]

In the house, if there is a VCR and I take it, then the original owner has lost all use of it. What if I came in and *cloned* the VCR, so the original owner still had his fully functional unit, but now I jad one just like it?

I agree that this is fine, this is what Napster did. It allowed people to clone MP3 files from a directory you specified, but this ShareSniffer makes it possible to read OR write to the other persons data without your knowledge of it. Which can mean loss or corruption of data. Sending out bulk viruses would be so easy, and for the average Windows user, they'll probably end up with unintentional shares on their hard drive. (Analogies to this have been made to linking your laptop to your desktop to transfer files momentarily.)

Fun with ShareSniffer kiddies....

[L.+J.+Beauregard]

If you put a file on my hard disk, you give me the power to alter it.

So here's how to have fun with 31337 d00d2 who use ShareSniffer on your 'puter:

• Share out some innocent-looking directory.
• Post a fake ShareSniffer report to Usenet.
• Run a background process that watches this directory for new files.
• When new files appear, munge them:
  • Windows .EXEs: replace with a trojan that nukes the hard drive of the eedjit who downloads them.
  • MP3s: replace with one saying ALL YOUR BASE ARE BELONG TO US.
  • Images: replace with one bearing the words PAY FOR YOUR OWN DISK SPACE.

Other mischief is left as an exercise for the reader.
--
Ooh, moderator points! Five more idjits go to Minus One Hell!
Delenda est Windoze

100.000.000 neighbours

[The+Fanfan]

In a company I used to work for a while ago, we had a fairly open FTP server, so any client could drop files when we asked them for feedback on a bug report, that kind of stuff. The policy was read/write for everybody but no delete/overwrite. Fairly liberal policy but who cares ? Nothing critical on this server

One day, clients started to complain that the server was damn slow and failed to receive their files. The depository directory was apparently clean. And then looking at the logs (for the first time in 2 years ;-), bingo : it was a squatter who was stuffing innate mounds of data in/out a hidden directory. Solution : erase everything and set up a id/password setup for each client who needs this access. But, even if the loss of ressources is small, it just sucks to have to do that.

Open directories on the Web are a bit like mail boxes. It's wide open and its very easy to stuff shit in there, but it's just plain discourteous and stupid. Now, the difference is that for your mailbox, you just have to deal with the neighbours' kids. On the Web, you have 100.000.000 neighbours

Get over it, there's necessarily at least one mean asshole in the bunch.

My $0.02

Oooo...

Ok, I'll run SAMBA just so I can (a) sign up, (b) share some folders, and....

(c) have a chance at some of those hot female lawyers!

Where can I sign up?

Re:Oooo...

[pblanton]

That's my sister you're talking about!

With Regards,
Phillip H. Blanton

OK: Quick review...

[talks_to_birds]

...the program's a piece of crap.

Had to download it twice before all of all the files got downloaded correctly.

Crashed every time I ran it, always with some pissy-assed Window$ error (1 general protection fault; 1 total lockup; a bunch of something like "..that control has (not?) been (de-?) registered..) etc etc and it goes ka-booom...

For a *real* good time, try clicking on the "Properties" field under one of the four sub-windows -- it goes ka-booom big time when ya do that... and then ya get to watch Window$ do a scan-disk 'cause it wasn't shut down properly... jeez, I guess!

...and a quick peek at tcpdump, and what's getting DENY'ed by ipchains *when* it does run suggests it wants at least udp and tcp 137 opened up on my firewall, and fsck that.

...and it reports back to the mothership *every* time you start it up, under the guise of "Checking Internet connection: please wait".

I didn't break out *what* it's sending back to the mothership, but the packet sizes are pretty big...

Screw it...

...who cares?

t_t_b
--
I think not; therefore I ain't®

Re:Great!

[Ronin+X]

Oh are YOU gonna be sorry when Jesus comes back with his 17,462,591 commandments! (Hey life's gotten a bit more complicated in 2000 years).

commandment 5,927,262: Thou Shalt Not use The Pitiful Security of the AntiChrist's Operating System to store Thy Warez on the Hard Disks of My Flock. (R)

We have to respond to this

[msuzio]

Oh great. I read this report and thought "this can't be for real". But apparently it is. I never thought I'd see the day when such outright "cracking" activities are treated as a business model :-).
Clearly, this is not a good thing or a moral thing to do -- I can defend Bob and Joe trading MP3s, but if they do it via Sally's open share (and grab some of her files too), that's a totally different thing. The problem is, the corps are going to point to this and say: "See? These geeks are just a bunch of thieves and pirates!".
In this case, it seems fairly clear-cut that they are right :-). I sincerely hope this program falls flat on it's face, and these guys go out of business. If they presented their tool as a "security hardening" device to probe your own network, I could buy it. But they aren't even putting up that much of a facade (how stupid are they?).

Re:We have to respond to this

[Kharny]

You are right here. For example: I have a car, it costs about 3000 dollars. I know i have to maintain it(let others do it for me). Essentially a 1500 dollar pc is the same. It has to be maintained, people should know basics after a certain time. Furthermore, in windows, to share a drive, You have to activate sharing, share the specific drive, AND make it read/write, instead of read only.

Re:We have to respond to this

[greenrd]

What do you suggest people do? Take a week our of their lives to read a 400 page manual and work through the intricacies of installing and setting up unix/linux and spend another few weeks learning the subtleties of securing said system?

For organisations that are large enough to have sysadmins, that's the sysadmin's job. And yes they should learn to set up a Un*x system and secure it - Red Hat isn't that hard, for one (if you're lucky with the hardware). Ever heard of training courses? Yes they cost money but they can be a good investment - especially when you consider that clueless sysadmins can spend hours doing trivial tasks due to misunderstandings/not knowing the faster ways to do it.

Re:We have to respond to this

[greenrd]

Oops, first para should be italicized.

Re:We have to respond to this

[dirk]

"But it doesn't work that way. In the "real world", access is something that is given, and it is assumed that if you have not been given access that you should have none. Why should we make special rules for the digital world? Unless you are given access, you have no right to be there."

I disagree. It IS different online. Think of FTP sites. Where would we be if we had to request access to all of those great publiclly available resources?

But isn't the anonymous logon a way of goving permission? It's isn't that you don't have to log on, you have to use a specific log on to get access. That log on gives people permission to log on. If something is just open, there isn't an implied permission given by a log on.

It's like needing a password to enter your house. I could make the password my name and tell everyone that is the password, and tell them to tell all their friends. They then have implied permission because they know the password I set up. They would still need the password, even if I left the door open, but they have it. But if I leave my door open, and there is no password, there isn't implied permission to enter.

Re:We have to respond to this

[TheTomcat]

I can defend Bob and Joe trading MP3s, but if they do it via Sally's open share (and grab some of her files too), that's a totally different thing.

I disagree. What if 'Sally' was running an anonymous FTP server, would it be any different?
No.

If 'Sally' didn't want anyone and everyone using her read/write share, she shouldn't have left it wide open. It's that simple.

Re:We have to respond to this

[Jeremi]

What if you set up the share so your old PC can talk to your new PC? It may not be common sense to Joe Bestbuy that the entire world can see the stuff, too

If Joe's file-sharing software is doing what he wants it to do, or is doing things he doesn't want it to do, then that is a problem between Joe and his software provider.

Re:We have to respond to this

[Kwantus]

What do you suggest people do?

Uhhh... Squawk to M$, or the lame magazines that drool over M$ products? I didn't say anything about switching OSs, now, did I?

As for 400-page manuals and taking weeks out of lives... excuse me? There's plenty o' 400+-page books for M$ products, and a plenty o' week+-long training courses. There's an enormous industry in teaching people how to use M$'s allegedly trivial-to-learn stuff.

Robert Morris is a hacker, Bill Gates is a business man.

You missed the point entirely. Windows has, by design,* caused the world a lot more security grief than Morris ever thought of. Yup, there's a big difference all right; Gates has a lot more lawyers, politicians, and media organs in his pockets.

* Morris' worm wriggled through various mistakes left in the software. Many of the latest horror stories - such as ILOVEYOU - worked entirely within the intended design of Winduhs. But who gets the blame? Sure, the guy who steals your stuff is bad, but if you built your mansion in a bad neighbourhood and went away for a week with all the doors and windows open and big map of the house on the front gate showing where all the goodies were, don't come to me looking for sympathy.

Put simply, M$'s design has been directly responsible for far more losses to intrusions than Morris's worm... yet Morris is in prison and Gates is a billionaire. What a wonderful country is the USofA.

Re:We have to respond to this

[SmittyTheBold]

It isn't even close to "cracking." These persons have made software that finds shares on a network, albeit on a bigger scale than ever before. So what? If I share something, and make it publicly readable, I meant it to be that way. I shared it on purpose.

If I made a share with important trade secrets, then made it publicly readable, them I'm stupid. That's like taking those same secrets and putting them on a billboard.

If you want to share something, do it. If you want something on a public share, get it. It's public for a reason.

This product doesn't do anything to violate rights. It does nothing close to cracking. It simply finds things people have publicly shared and makes it easier to get to such things.

What's so bad about that?

Re:We have to respond to this

[msuzio]

In this case, we all know "Sally" doesn't know what she did. It's clear that Windows presents the facade of protecting users from themselves (why else would you use it? ), but then fails in this regard by not at least saying:

"Hello, Sally. You seem to have just asked me to share your files to the world, but did not set a password. Did you really want to do that?"

Along with a nice help button that explains how this is Not A Good Thing(tm). I just tried this with Win2K, it didn't prompt me at all!

At least with Unix, no claim is made -- if you're an idiot, and can't at least RTFM, don't come to play. Here, Windows claims to coddle the foolish user, and all it does it allow them to do stupid stuff... You can't have it both ways.

Re:We have to respond to this

[JiveDonut]

What if you set up the share so your old PC can talk to your new PC? It may not be common sense to Joe Bestbuy that the entire world can see the stuff, too.

Re:We have to respond to this

[David+Greene]

Clearly, this is not a good thing or a moral thing to do -- I can defend Bob and Joe trading MP3s, but if they do it via Sally's open share (and grab some of her files too), that's a totally different thing.

Why? Because in one case the theft victim is an identifiable individual and in the other it's a corporation?

The problem is, the corps are going to point to this and say: "See? These geeks are just a bunch of thieves and pirates!". In this case, it seems fairly clear-cut that they are right :-).

If you accept that, you have to accept that Napster, etc. are just as guilty. Either the lawbreaking is performed by the individual software users or it is performed by the software creators. You can't have it one way in one situation and the other in another.

--

Re:We have to respond to this

[OlympicSponsor]

"I can defend Bob and Joe trading MP3s, but if they do it via Sally's open share (and grab some of her files too), that's a totally different thing."

First off, where did "grab some of her files too" come from? That's just gratuitous and you know it.

Secondly, there's nothing wrong with Bob and Joe using Sally's HD per se. It's really the "unknown to Sally" part that you object to. So I guess to appease that factor, we'd have to have some kind of explicit process Sally has to go through in order to share that drive. Guess what? That process already exists. Now granted, Sally may not realize what she (or the software she installed) did. But it's not entirely clear-cut to me that Bob and Joe are in the wrong.

Consider an alternate universe: A lot of people use ShareSniffer and a lot of people share out their hard drives for the express purpose of letting people store MP3's there. (this isn't ridiculous, it's pretty much how Napster or FreeNet works) Now imagine Sally accidentally shares her drive out and finds it filling with MP3's. ShareSniffer has no way of knowing that Sally didn't mean to share the drive out. Are Bob and Joe in the wrong? Or is Sally to blame for not understanding her technology?

*MY* objection to ShareSniffer is: What if I WANT to share my files...but not to ShareSniffer users? To be good netizens (not their purpose, I know) they should really have invented their own protocol.
--
Non-meta-modded "Overrated" mods are killing Slashdot

Re:We have to respond to this

[Kwantus]

how stupid are they?

I'd say, comparably stupid to those at M$ who gave the world a nearly insecurable networked filesystem, and those who use said filesystem. How many problems have to be exposed in M$'s heap of shit before people will raise the proper squawk? Robert Morris got prison, Bill Gates got rich... what a world.

Re:We have to respond to this

[TheTomcat]

it's (un)common sense.

If I set up a share for my friend accross the country to use, and don't set a password, it's OBVIOUS that anybody else can use this share.

Survival of the fittest. If someone is that dumb, they deserve to get their precious bandwidth wasted.

Re:We have to respond to this

[ADRA]

>Survival of the fittest. If someone is that dumb,
>they deserve to get their precious bandwidth
>wasted.

Man, what an elitist swine you are. Instead of
abusing their system, why not be a good
"educator" and enlighten them by sending them or
their ISP an email to fix the problem, instead of
justifying their abuse through intellectual
superiority.



Thus Spake ADRA

Re:We have to respond to this

[Flavius+Stilicho]

"But it doesn't work that way. In the "real world", access is something that is given, and it is assumed that if you have not been given access that you should have none. Why should we make special rules for the digital world? Unless you are given access, you have no right to be there."

I disagree. It IS different online. Think of FTP sites. Where would we be if we had to request access to all of those great publiclly available resources?

Re:We have to respond to this

[Your+Login+Here]

Are you sure about that? Win9x gives warning when you have TCP/IP shares open to the internet. It also offers to dissable them. It seems odd that MS would take this out of Win 2k... maybe they just never had that feature in the NT series.

you wouldn't believe

[TheTomcat]

you wouldn't believe the number of @home users who have a share called "C" which is read/write access to their whole hard drive, not just the mp3s, shared over SMB, publicly.

Or maybe you would..

Is this a default when you run the @home install CD or something?

Re:you wouldn't believe

[Cy+Guy]

Is this a default when you run the @home install CD or something?

AFAIK its not, but the reverse should be true. Cable and DSL ISPs should install (or at least warn you to install with an included download link) ZoneAlarm or other personal firewall software when you configure your broadband account.

This might also give the Broadband ISP's some teeth when they try to enforce a 'no server' policy against their customers, since the customer couldn't plead that they were running Napster or an FTP site unknowingly if they had to specifically enable the ZoneAlarm to allow each piece software that was running as a server.

Re:you wouldn't believe

[Salgak1]

It did, a year ago. I found it, turned my shares off, and got a nastygram from @Home several weeks later about it. Which is one of MANY reasons I now do DSL, with Speakeasy.net.

But then, @Home isn't exactly designed for the power user, much less the security-conscious one. Heck, they claimed Linux wouldn't work on @Home, either. . .

Re:you wouldn't believe

[Roofus]

I'm not sure about the rest, but I have TCI@Home, and they filter out the netbios ports. I find it more of a pain than a help, but I can see how it's the "prudent" thing to do.

Re:you wouldn't believe

[Roofus]

Yes, but you need Administrator priviledges or at least the admin password in order to access shares such as c$ and d$. And if some cracker has the password, you have much bigger problems.

Re:you wouldn't believe

[Raver+X]

Wrong D/L legion and have fun connecting to whoever does not have security set up right.

Re:you wouldn't believe

[cavemanf16]

No you don't need admin privledges to share c or d drives in Windows. I opened mine up for a few minutes while on a firewalled LAN to allow my bro' to download a game patch or two, and it didn't once ask either of us for a password.

Re:you wouldn't believe

[Roofus]

No, I'm not wrong. Is this the legion you're talking about?

Legion 2.1 is a complete rewrite of the previous version
Legion will scan up to 64 class C subnets for open file shares and will
allow the user to map shares to a drive. The registered version
includes a brute force tool that will attempt to guess share level
passwords . It's available at http://rhino9.ml.org

This looks like nothing more than a scanner with a brute force password cracker. So either way you'll need the admin password to get to the share. Good luck trying to guess the password.

Re:you wouldn't believe

[Roofus]

I was never talking about 95/98. I don't care/use 95/98. The first post I responded specifically mentioned NT/2000.

Re:you wouldn't believe

[Nos.]

c$ and d$ are default shares for Windows NT 4 (maybe earlier, but its been too long for me to remember). In any case, yes, the only account that can connect to these by default are those in the administrators group. However, most home Windows users are not using NT, but 9x.

Appalling -- yet funny

[YIAAL]

This seems to fall into the "it's clever so it must be done" category. It's probably best understood as performance art aimed at the idiocy of the Windows file-sharing defaults. But that's fish in a barrel.

Re:RIAA should clamp down on netbios!

[Anomynous+Coward]

I thought netbeui was the name of the native ethernet protocol that netbios rode on top of, until, as you say, some fool decided it would be a good idea to encapsulate it in TCP/IP.

.vortex

--

Scour?

[digid]

Scour was doing something like this long before "ShareSniffer." The Scour SMB client was one of the easiest ways to get mp3s back in the day besides web indexed ftp sites and irc fserves. I wonder why scour moved away from this approach?? Geeee.....

Re:This is just silly

[ethereal]

Copying is not theft.

It is (for copyrighted materials) under our legal system, and for good reasons.

No, it's not. Unauthorized reproduction of copyrighted material is illegal under current law, but it is not "theft", and it is most certainly not "piracy". Theft would imply that the original owner of the work no longer possesses it, which is not the case. And piracy would be hijacking a truck on its way from RIAA HQ to your local Sam Goody, but I digress :)

Nobody really questioned this arrangement until it became effortless for ordinary people to violate copyright on a massive scale, at which point suddenly everyone decided they wouldn't obey an inconvenient law.

I actually have no problems with copyright (well, pre-DMCA anyway), but I would point out the hole in your argument - under a democracy or some form of representative government, why shouldn't the laws change if the majority feels that they should, assuming that the change is constitutional? I'm not convinced that it's the end of the world if the average guy on the street gets things to go his way every once in a while. As technology changes, regular people discover new and better ways to live their lives, and if those new ways require changes to the law, then so be it.

Obviously you have to balance this against the rights of the minority - for example, we couldn't really revert to being a slaveowning society even if the majority wanted to. But the draconian way that copyright has been enforced against the common man may well have to be rethought, lest the whole concept of copyright fall by the wayside.

Re:This is just silly

[Mr.+Slippery]

It is (for copyrighted materials) under our legal system...

No. Copying is (or rather, may be) an infringement of copyright. Theft is theft. They may both be crimes, but they are distinct actions.

Mike Godwin of the EFF writes about this here:

Unfortunately for the government, the Supreme Court has explicitly stated that copyrighted material is not property for the purposes of the ITSP statute. In Dowling v. United States, 473 U.S. 207 (1985), the Court held that interests in copyright are outside the scope of the ITSP statute. (Dowling involved a prosecution for interstate shipments of pirated Elvis Presley recordings.) In reaching its decision, the Court held, among other things, that 18 U.S.C. ' 2314 contemplates "a physical identity between the items unlawfully obtained and those eventually transported, and hence some prior physical taking of the subject goods." Unauthorized copies of copyrighted material do not meet this "physical identity" requirement.

The Court also reasoned that intellectual property is different in character from property protected by generic theft statutes: "The copyright owner, however, holds no ordinary chattel. A copyright, like other intellectual property, comprises a series of carefully defined and carefully delimited interests to which the law affords correspondingly exact protections." The Court went on to note that a special term of art, "infringement," is used in reference to violations of copyright interests--thus undercutting any easy equation between unauthorized copying and "stealing" or "theft."

...and for good reasons. Being able to control copying allows content producers to profit from their work.

The purpose of copyright is to promote progress in the arts and sciences, not to allow artists to profit. (Which they don't anyway...the profits accrue to the parasitic recording labels.) In the presence of easy copying, copying restrictions no longer server to promote such progress.

Tom Swiss | the infamous tms | http://www.infamous.net/

If they were serious about being legit...

[davewill]

The whole moral issue could be avoided if the software scanned for a particular share name, or comment field that indicated that the user WANTED to share the drive. Of course, then they wouldn't have all of these unwitting participants...

Re:This is just silly

[ethereal]

Well, in order to get files on or off of someone else's share, your computer has to send them a request and they have to acknowledge it by either sending you files, or storing your files. So while there may be no sign, it is the case that your permission was asked, and you agreed to the transaction. Sort of like if a door-to-door salesman came by while you were at work, asked to come in, and your no-good brother-in-law invited him in.

The answer is, of course, throw out that lousy bum Windows :)

It's not FTP

[RallyDriver]

The analogy with anonymous ftp is flawed - there is an established precedent that anon ftp servers are for public use, and thus it is reasonable to assume you are welcome to use them; there is no such precedent for SMB default shares.

Good!

[Mdog]

-troll-
Fantastic! I hope all the click-through idiots get what the deserve! I support any software system that takes advantage of clueless users. It's digital Darwinism! All these people who get all up-in-arms about the latest privacy threat to idiots who don't know any better make me want to puke. The people who want to be sheep will be sheep, and the rest of us will laugh ever time we hear it.
-/troll-

Re:Good!

[The-One-Who-Knows]

"Ahahahahahahahahahahaha, ROFL, ahahahah.... " -- the response to reading this. I definently agree whole heartedly. Stupid is as stupid does and stupid people should get what they deserve.

goodie!

[shren]

I've got to find the addresses of the people who made this software, and see if they ever leave thier doors unlocked. Because if they do, of course, then I assume I have free access to borrow thier Home Entertainment System, and grab a Free-As-In-Beer on the way out.

Next thing you know, they'll be selling software that looks for Smoking Joes (users with the username and password the same), under the logic that if someone is so completely insecure then they obviously meant for thier account to be public access.

Re:goodie!

[BrK]

I've got to find the addresses of the people who made this software, and see if they ever leave thier doors unlocked.

Leaving a door *unlocked* is not inviting unwanted guests. If a door is closed, then you should assume that you are not encouraged to enter, unless a sign is present like "Come In, We're Open!". You would be expected to *knock* first (ie: ask permission), and then go away if no one answers.

By sharing a file/drive/folder/device the user has completed a set of actions the secifially makes the items available to The World. You *could* use Microsoft's pathetic Network Neighborhood tool to browse for shares, or you could use a 3rd party tool to browse for shares. Either way, you are browsing items that the user has *specifically* made availble for public consumption.

Anybody know...

[talks_to_birds]

...what source port this joke runs on?

It'll be fun to keep an eye out for punks running this sh*t...

...hmm

'an maybe see just how *tight* their boxes are..

All in good fun, of course ;-)

t_t_b
--
I think not; therefore I ain't®

Re:How did all this schisse porn get in my MP3 sha

[SlashDotIDOne]

Being german, and moderately offended, I feel I must say: a) it's the Japs that really are into that stuff.. and b) it's scheisse, or scheiße. And the parody of Aqua's Barbie Girl is in Dutch (netherlands) , not Deutsch (germany). And another thing: it's "du hasst" or "du haßt" not "du hast". Two s' means hate, one is have. Big difference. Now that this is cleared up, I would simply like to agree with you. This could easily become not only a way for a person to become unhired, but a new tool for framing him. Incriminating evidence has always been easy to place, but now your average 12 year old pimple-face next door can do it to your 83 year old grandpappy. Really reverses the flow of power in society, eh?

Might work...

[BrK]

The legal morons have this quote in the article: "The person who has, through no knowledge of his own, left file sharing 'on' with no protection, that is the electronic equivalent of leaving your door unlocked," says Rasch. "You can't with any degree of certainly say it is an invitation to enter... Therefore when you enter through an open file share, that's likely an unauthorized access."

I don't think this would hold up in court. Leaving your door unlocked requires NO action on the users part, thus it can be done accidentally or absent-mindedly. However, by default there are no public shares when you install Windoze. The user has to specifically share a drive, device, or folder. They cannot claim "whoops, I didn't know it was shared" because the only way for it to get shared is to perform the proper action(s).

If I come along and discover a public share, I can only assume that the person *meant* to share it. I would not ask them for permission to use it, or browse the files, because they have *already* granted that priveledge to me and the world.

The lawyers seem to always try to re-word everything so that things are selectively illeagal or wrong. Personally, I'm getting tired of the bullshit with the lawyers in America, but that is another topic.

What remains to be seen is: who is liable for the (alleged) illeagal material on one of the public shares? Is the user reasonably expected to make sure the material is legal?

Re:Might work...

[fm6]

I don't think this would hold up in court.

And your law degree is from...?

This is not a new theory. I don't buy into it either, but it's been applied for as long as computer "trespassing" has been an issue. My first brush with the crazier aspects of computer security was when I made the mistake of informing a University IS director that some of his sensitive files were publically readable. And, like many another Good Samaritan, I was reamed out for "snooping" in directories where I had no business. Other places I've worked have taken that unauthorized access to data is always the fault of the accessor -- no matter how careless the data's owner has been. And don't think these policies were put in place without plenty of legal homework.

Law is a complicated and subtle topic. Understanding an issue like this is as difficult as understanding wave-particle duality. Plus the ultimate referee is not an objective experiment but a fallible jurist. Physics rarely works the way freshman logic tells you it will. Law is even more so.

__________________

Re:Might work...

[derPlau]

Leaving your door unlocked requires NO action on the users part, thus it can be done accidentally or absent-mindedly. However, by default there are no public shares when you install Windoze. The user has to specifically share a drive, device, or folder. They cannot claim "whoops, I didn't know it was shared" because the only way for it to get shared is to perform the proper action(s).

Yes, but if I have a door that automatically locks, I might unlock it temporarily for some specific purpose. If I forget to lock it again, it's still unauthorized access if someone walks in. The same argument surely holds for file sharing.

Re:Might work...

[agentZ]

Mark Rasch is not a lawyer. He's a computer security consultant (last I heard for SAIC). He's in the business selling security products, so of course he's going to talk about how this new product is bad/evil/wrong. If it was legal and good he would be out of a job. (Please note, I'm not saying I think it's a good thing, I'm just showing where his motivation may lie.)

Re:Might work...

[cavemanf16]

But that definitely does not give you the right to take things from inside the house (or computer system), just because it is open. Someone owns that information and/or stuff, it is not yours for the taking unless they have given you permition. Napster and other file sharing services explicitly ask which file folders you want to allow everyone else to see. This ShareSniffer just jumps into whatever you currently have unlocked, and says to the world: "Sally's back door is unlocked and she's got some really cool MP3's in there! Go download them or graffiti her hard drive at will!" I would have to say that's highly illegal.

And what if I need to temporarily unlock my back door to swap some files on my own network. It shouldn't be legal for people to sneek in and out at will while I'm not looking. At least when I've used file sharing services, I know they are running and can be wary of what I'm doing.

That being said, I still run a firewall on my Windows system, and am working on a Linux firewall for a more secure solution.

turn the tables

[Barrow_Boy]

i thought it might me an idea to leave open a windows share but just leave a load of viri in the share.

lol.

Re:This is just silly

[clare-ents]

Point still stands - I was responding to

"
Why can't copyright owners dictate what you do with stuff you buy after you've bought it.
"

This would allow the restriction [even if it hasn't been done yet] and many others more restrictive that we haven't yet thought of.

Lawyers don't trump AUP

[Tackhead]

Bevy of lawyers or not, there's nothing to stop you from reporting sniffs for shares as potential violations of the sniffer's ISP's AUP.

Remember - in many states, spamming is "legal" - but accounts still get whacked because an AUP that says "we nuke spammers" is every bit as legal.

Same thing applies here: Sniffing for shares may be legal (though morally questionable). Using the shares may even be legal (though even more morally questionable). But reporting sniffers to abuse@sniffer's-ISP is also legal, and it's just as legal for that ISP to LART the offender for TOS violation when a sufficient number of abuse reports pile up.

It's a EULA, not your mommy.

[MarchingAnts]

I'm sorry, but my parents taught me to always read each contract I enter into and know what I'm signing to.

So I read through each EULA, going over the various Terms and Agrements. That way, if I see something I don't agree with, I can always not accept. Conversly, this way I know my responsibilities as an end user.

Think of each HD that gets fuX0red as User Darwinism.

Re:This is gibberish...

[markmoss]

"Simply put, once you are notified that content you are hosting isn't legal, you are risking being held liable for what is there." True, so you delete it, and you are off the hook legally. Tomorrow they put it onto someone else's computer. Get the copyright police busy sending out 100,000 cease and desist (or whatever you'd call it) notices a day, and they won't have time to track down the originators...

It's understandable.

[SpanishInquisition]

With 40+ gigs hard drive on the market, it's has become more and more difficult to fill it all up with useless crap you download from the net. Thankfully the great community of the net has found a new way to solve this problem, now anyone can fill your drive with useless crap so you can live your life in peace without never having to spend night after night downloading useless crap from the net because you know that someone will do it for you. Just remember to delete everything and defragment once in a will to leave space for new useless crap.

Great!

[Electric+Angst]

Well, while it is somewhat decietful to use other people's shares without them knowing, I believe that this is ultimantly a very good idea. What's really happening here is the innate, God-given ability for humans to share information for free.

Intellectual property is simply a form of secrecy, and secrecy itself is condemed in the Bible. Take this verse of scripture:

"In secret have I said nothing" - John 18:20

Those are the words of Christ himself, and I think that gives a pretty strong indication of where he would stand in the current intellectual-property debate.

Those who try and keep secrets and horde information through satanic "intellectual property laws" are the real villians. Without the free spread of information, where would we as citizens of the world even be today? I mean, what is Jesus had said "Remember my words, but don't repeat them, as they are (C)20 AD, Myself." The Word itself would have never spread and we would all be damned to Hell.

So, in short, sharing information is without a doubt a direct order edict from the One True God Himself.

--

Re:Great!

[CyberDawg]

Electric Angst has come up with either the most innovative troll for the day or the most twisted justification for unethical behavior that I've ever seen. Either way, his post makes entertaining reading, and his psychiatrist's reports (which God Himself wants us all to read) would be even more entertaining.

Re:Great!

[Hiro+Antagonist]

Having this tied to a religious metaphor is a bit tenuous; but I agree wholheartedly with your point. Same goes for the other great thinkers of the world -- where would we be if Martin Luther King, or Plato, or John Locke, or Thomas Payne had placed copyright symbols after everything they said and wrote?

--

Re:Great!

[BorgDrone]

Too bad there is no such thing as a god and the bible is just a fairy tale (although a very violent and disturbing one that shouldn't be read to children)
lots of people don't believe in a god, don't try to force your ideas on them.
---

RIAA should clamp down on netbios!

[Anomynous+Coward]

Dear Microsoft,

Please cease and desist the use of netbios immediately, because it is used to transfer copyrighted material some of which are owned by our members.

Yours mercilessly,

RIAA

Could this spell the end of one of the most ugly MS TCP/IP protocol hacks?

I guess not. But the thought made me smile ... ;-)

.vortex

--

Re:RIAA should clamp down on netbios!

[SmittyTheBold]

I absolutely love that.

The problem is, there's a hole in the argument. This is all using TCP/IP and SMB. No NetBIOS that I'm aware of.

Re:RIAA should clamp down on netbios!

[rvaniwaa]

Actually, Netbios is an IBM hack. According to "The Linux Network" by Fred Butzen and Christopher Hilton:

The first networking cards for the IBM PC were devised by IBM itself. This was in the mid-1980's whne TCP/IP and the Internet were confined to universities and laboratories. To manage networked PCs, IBm invented its own protocol: the Network Basic Input/Output System (NetBIOS)

Over time, IBM's networking cards were pushed out of the marketplace by cheap Ethernet hardware but IBM chose to use its NetBIOS protocol as the basis for networking under its OS/2 operating system which it commissioned Microsoft to write. As part of that deal, Microsoft licensed NetBIOS technology from IBM. Microsoft then used NetBIOS to implement networking for its Windows line of products including Windows for Workgroups, Windows 9x, and Windows NT.

Scour

[EnVisiCrypt]

The old scour used to do this. It was a really popular way to get MP3 2-3 years ago.

Re:This is just silly

[lingsb]

...artists to profit. (Which they don't anyway...the profits accrue to the parasitic recording labels.)

Are these the same record labels which take a risk in deciding to sign a band, not knowing if the money they've payed out in recording, promotion, etc will be returned?

The purpose of copyright is to promote progress in the arts and sciences, not to allow artists to profit.

It promotes progress because the artists can make a profit from it! If, as a musician, you didn't earn enough to live from making music, would you still do it as much? Would you have time to, while doing your day-job?

In the presence of easy copying, copying restrictions no longer server to promote such progress.

Not sure I understand this, could you explain? If an artist doesn't make back the cost of producing their recorded work, how is this promoting progress?

Software Download Mirror

[nstrom]

Their website appears to be totally hosed, plus I couldn't even get their AutoInstaller to work. I managed to download the setup files from the site, so I zipped them up; you may download them here:

http://reptilian.res.cmu.edu/ShareSniffer.zip

Apparently, the software won't run if it can't contact their website, but here it is anyway. Enjoy!

A symptom of M$ Networking

[Bonker]

When locking down a M$ workstation or server, one of the first things you have to do if you want it to be as completely secure as you can get it is to forget about 'file-sharing'.

It's a shame, because there are really good ways to do file-sharing besides sftp that are secure. Unfortuneately, Microsoft doesn't beleive in security. In the default installations, which everyone else is going to want to connect to your shares with, every protocol is bound to every adapter, etc. It takes a skilled hand to break the uneccessary bindings or use a Non-MS Filesharing service. Because Microsoft refuses to make a *sane* default Network configuration for Joe-Bestbuy, those of use who care about security will never be able to run shares across TCP-IP.

I leave you to rely upon your own legal advices. .

[werdna]

... but it is possible that you may have a fool for a client.

I leave you to rely upon your own legal advices, and at your own peril. The same argument can be made, and has been made, about open doors and keys and real property or automobiles; and about property that has been left alone for a brief time at airports. I can assure you that the law governing trespass, theft and implied consent in non-computer arenas is generally quite unkind to defendants -- and there are many an incarcerated felon who continues to grumble with remarks not substantially different from those you have made here.

This much is certain, you are not correct merely because you say so, and certainly not because you ended your posting with the term "duh!" Likewise, I may well be wrong in some cases, and perhaps not in others.

The trick is not to be the defendant in one of the others. Educate yourself, and be certain before you are sorry.

An undeniable, strong and powerful distinction can be made between an anonymous ftp account or a webserver on one hand, and a passworded system having known security bugs or easily guessable passwords on the other. Many skr1p7 k1dd135 feel that the latter are likewise invitations to plunder, but would be (and have been) laughed out of court on a defense based on that theory. Still others think that finding the "magic url" to breach into an intranet is legit, simply on the theory that it was permitted to be done -- this is a dangerous assumption.

The failure to password a portion of a system may or may not be an implied consent to plunder -- my suggestion is not to be wrong in assuming that it is. Be damned sure you are invited before you start taking data.

In particular cases, you might well not have committed a felony. Good for you. But in others, you may well have done something for which your life and liberty will later be in jeopardy.

Look, its entirely up to you to decide how you want to manage things -- but by all means have your a** well-covered when you do. Its a bad, bad idea to be your own lawyer, particularly when being wrong may cost you your life as you know it.

ummm

[bobhope]

What about that whole legal thing with accessing a system you are not authorized to...I didn't think whether you could break into it or not mattered all that much (not that there is much breaking involved in windows) ??.

shares

[Mondrames]

I would say that "All your shares are belong to us", but we knew that already.

Re:shares

[kchayer]

Wouldn't it be "All your share are belong to us" instead? :-)

"Someone set us up the sniffer."

Startup Screen

[nstrom]

If you can't run this program on your box of choice, here's a shot of the startup screen. Note the "Because it's there" motto. Is this the product of a responsible company? JPEG Image 540x313 pixels

This is just silly

[isomeme]

Well, okay, not just silly. Also kind of funny. But there's no way this is even within shouting distance of being ethical or legal.

The argument here is akin to saying "you left your front door unlocked, so of course you were inviting me to take your stereo", or "you left the keys in your car, so of course you meant for me to take it on a joyride". Negligence does not excuse crime. In practical terms, it makes it much easier, but that's not the point.

This sort of sloppy thinking is the same as that which allows millions of people to steal music using Napster who would never dream of stealing a CD from a record store. Being intangible and trivially easy doesn't make it less of a theft.

--

Re:This is just silly

[undertoad]

Don't worry, I'm getting them back for you in metamod.

--
Move '.sig'

Re:This is just silly

[isomeme]

Copying is not theft.

It is (for copyrighted materials) under our legal system, and for good reasons. Being able to control copying allows content producers to profit from their work. Nobody really questioned this arrangement until it became effortless for ordinary people to violate copyright on a massive scale, at which point suddenly everyone decided they wouldn't obey an inconvenient law.

I really wish someone would explain to me why artists and distribution companies shouldn't be allowed to control how their property is used.

--

Re:This is just silly

[Mr.+Slippery]

The argument here is akin to saying "you left your front door unlocked, so of course you were inviting me to take your stereo"

No. A better analogy would be if I had a sign on my door, meant for a visting friend, which said "Come on in and have a beer". If a stranger sees it and comes in and helps himself to a cold one, has he done anything morally or legally wrong?

Opening your shares is inviting other people in. If you fail to specify who you're inviting, that's your fault.

...steal music using Napster who would never dream of stealing a CD...

Copying is not theft. HTH. HAND.

Tom Swiss | the infamous tms | http://www.infamous.net/

Re:This is just silly

[isomeme]

I notice someone moderated my original comment as being a "troll". I wish whoever did that would explain their reasoning, publicly or privately. I certainly didn't intend my comments as a troll.

--

Re:This is just silly

[clare-ents]

"I really wish someone would explain to me why artists and distribution companies shouldn't be allowed to control how their property is used.
"

It's something to do with fair use rights. For example, if you buy a book you should be allowed to read it. However, if your book came with a EULA inside the package that said reading it was forbidden the person who bought it has been ripped off. This applies to electronic books you are not allowed to read aloud [famous case - Alice in Wonderland from Adobe's E-books site].

Oh, if copying is theft, then if I come to your house and note down what posessions you have in the lounge, the decor and go home and produce an idnetical lounge without asking you - did I steal the lounge from you?

Re:This is just silly

[Mr.+Slippery]

For 6 years, Ive slid by in college, and the night before our thesis papers are due, I break into your dorm room and copy your paper, and hand it in as mine...

The misdeed here (may or may not be a crime, depending) is fraud, not copying. It would be just as wrong to represent a work placed in the public domain (by expiration of copyright, or by deliberate act) as your own as to represent a copyrighted work as your own.

The idea of an exclusive right to copy is no longer worthwhile. However, the ideas of a right to be recognized as an author or creator and a right to receive royalties from for-profit use (like songwriter royalties today) would still be of benefit.

Tom Swiss | the infamous tms | http://www.infamous.net/

Re:This is just silly

[inkydoo]

No, a better analogy would be if your front door was open but there was NO SIGN AT ALL (because, of course, open windows shares don't actually pop up a notice saying come on in). If a stranger comes in and does anything, he is guilty of breaking and entering.

The law (in the US) recognizes the threshold of your home as a sacred line. Even the police can't cross it unless they have a warrant, or you explicitly give permission to enter. Even if you're standing just inside the threshold with the door open talking to the cops.

Entering

[Sloppy]

If you enter an unlocked house, without permission, it's entering. Still a crime. The fact that you left the door open is not "permission," not even implicitly.

But on the Internet, how can you tell the difference between a private area (someone's house) and a public area (the town commons, McDonalds, etc). It all looks identical.

There are plenty of places where you really do have the owner's permission to read/write, and they are indistiguishable from Joe Schmoe's "accidental" ftp site or Samba share. This is what leads to the attitude that, if someone is sharing a resource, they mean for it to be shared.

---

Ethics vs. Laws

[CyberDawg]

Legally, this all boils down to one question: Is leaving a file share set up with no password equivalent to (a) leaving your front door unlocked so friends can come on in, or (b) leaving your front door open with a "come on in" sign so anybody can come in?

If you subscribe to point-of-view (a) above, then the ShareSniffer people are advocating using the tool for the electronic equivalent of walking down the street checking doors to see if they're locked, which can get you arrested. If you believe (b) above, then it's equivalent to walking through a commercial district and into an open shop door, which is not only legal, but encouraged.

Is this any different from the wardialers of the 1980s or the port scanners of the 1990s? I don't think so. I tend to take the point of view that tools aren't evil, only what people do with them. That would say the ShareSniffer folks didn't do anything wrong just by writing the tool, just like I (oops, I mean that guy I knew back in college) didn't do anything wrong by writing a TCP/UDP port scanner some years ago.

Re:Its (1) a crime and (ii) not a decent substitut

[Sloppy]

Most states have enacted felony statutes which precisely cater to this issue -- the taking of data from a computer system without being granted express permission to do so.

Dammit, I just realized that I don't have even a shred of proof that Slashdot (or any other web server) has ever granted me express permission to access their server. And by replying to your post, I am even writing to their server. It looks like I'm a sitting duck for a felony charge at any time.

---

Interesting argument.

[jd]

In the UK, that might just work. The "Computer Misuse Act" only forbids "unauthorized activity" and the argument could very well be made that by publicly sharing the drive that the activity -was- authorized.

In the US, they might also have a case. Storing information on your computer, without your knowledge, has become pretty much the norm, with "stealth cookies", assorted "copy protection" schemes, etc. It would be very difficult to contend in court that one kind of unauthorized use of file space was more "acceptable" than another.

Worse, from any corporate standpoint, if it were to be declared illegal to use these kinds of schemes, virtually all proprietary software on the market would be illegal, as virtually all proprietary software tampers with your hard drive in ways that you do not explicitly authorize.

From the standpoint of "ethics", the trading of any kind of commercial product (be it a sound file or a computer package) is definitely in the "Not OK" pile. But the law doesn't work by ethics, it works by bloody-mindedness and party politics.

IMHO, we're going to see persecution of Napster, but a strange silence over PtV. Companies have too much invested in it themselves to risk it.

More Info on NetBIOS Vulnerability

[Captain+Chad]

If you don't already know about it, go to the Gibson Research Center. He has a program, Shields Up!, that tells you if your NetBIOS (and other) ports are vulnerable. He also includes detailed steps on how to configure Windows to make the NetBIOS ports inaccessible from the internet. Even if you don't have shares, the NetBIOS ports will give out information about the configuration of your computer.

Re:All your base are belong to trolls

[DEATH+AND+HATRED]

God damnit, is that why I didnt get any karma?

Tech Supp.

[pos]

This is probably a feature so that they can give you technical support.

"We ga-run-tee you will have 100% satisfaction with our tech support. Hell, we'll even file your quicken tax forms for you and finish your doctoral thesis while we're at it!"

-pos


The truth is more important than the facts.

Re:I'm glad someone finally did this

[Higher+Authority]

I have Windows 98, and I have sharing enabled (along with two "firewalls", one a real fw running FreeBSD and the other @Home's lovely blockage of SMB/CIFS ports, which I actually hate myself, but they don't block NetWare ports so fine with me nonetheless :), and by default Windows did not ask me to share anything when I first enabled file sharing.

Of course, I could be wrong, and maybe Windows did ask me to share the C: drive by default, and I ignored it/cancelled it, but I don't remember doing so (much like I don't remember many things, so that doesn't really help my case)...

And re your comment on NetBEUI, NetBEUI isn't a routed protocol, IIRC, so that'd most likely be the best option for users wanting to share files in a home network setting, unless they throw in Samba or something, in which case it could safely (for the most part) be assumed the user has a small knowledge of what he/she is doing.

And, by the way, I agree with your 'they don't deserve what they get, necessarily' mentality.

Re:AUP's don't trump dumb users

[thrillbert]

And you are thinking that these people who could not figure out how to close their shares are going to be smart enough to know that they're being sniffed? If that is so, I might have a bridge I can sell you.

I'm glad someone finally did this

[frankie]

Windows file sharing is so fucking stupid -- why on earth would they set it up so the default share is "all users: full access"??? Any reasonable person must infer that Microsoft WANTS people to give their hard drives to the internet at large.

Of course, there are plenty of other idiots in town -- how many remote holes are there in the default RedHat install? And that's without even having to click a button that says "enable file sharing".

ShareSniffer should be viewed as a wake-up call to OS vendors in general. The default settings should not Not NOT open your computer to remote takeovers!!!

Re:I'm glad someone finally did this

[jamiemccarthy]

Windows file sharing is so fucking stupid -- why on earth would they set it up so the default share is "all users: full access"?

I have no idea what the default setting is, because I don't use Windows. But according to the folks at ShareSniffer, this is not true: "Microsoft Windows by default will not expose files to the Internet. It has to be consciously configured to expose files to the Internet."

Jamie McCarthy

Re:I'm glad someone finally did this

[Higher+Authority]

Explain to me this concept of a default share, for I have not seen it.

Windows does not, by default, share anything. If Microsoft let anything like that slip by, do you think companies would even be considering using their software, as insecure as default as it would be?

While I agree with your general opinion on ShareSniffer, I can still say you're insanely (un)informed.

Re:I'm glad someone finally did this

[gamorck]

No version of MS windows exhibits the behavior you just described. Get your facts straight before you post again - thank you. NT/2000/XP - Creat default shares (C$, ADMIN$, D$) that only accesible by somebody with Administrator privileges. No normal user can access these shares. 95/98/ME - No default shares. No default behaviour (At share creation you set access options). If you are stupid enough to share out drives without a password - you deserve to be hacked. Thats the equivalent of creating a / NFS share on your linux box with EVERYBODY privileges. Once again - Default MS Window settings DO NOT OPEN YOUR COMPUTER TO REMOTE TAKOVERS! Get it right you braindead zombie. You must explictly tell windows 95/98/ME to share your drives and in the case of NT - you ust explicitly change the shares in order to allow EVERYBODY to access them. Enuff Said J

Re:I'm glad someone finally did this

[Raver+X]

Cut from : http://www.fastlane.net/~thegnome/faqs/hackfaq/hac kfaq-11.html 11.4 What can null sessions to an NT machine tell me? By establishing a null session from your NT attacking machine to the target server, there are a few different things you can do to get account info:
net use \\server_name\ipc$""/user:"" if you see "The command completed successfully" then you are connected. Using local.exe and global.exe from the NT Resource Kit shold get you some usefull info. Here are two examples. Get the local administrators on the target: local anmistrators \\server_name Get the members of the group Domain Admins: global "domain admins" \\server_name For even more information, rum DumpACL and go for the user and group reports. This should give you every account on the box, plus a host of other useful info, such as who logged in last, if a password is required, who is in what group, etc. From this y ou can target specific accounts to attempt access. To find the role of the machine, domain names, and dc names try using netdom.exe. To find the last logon time try usrstat.exe. Both are in the resource kit. For some info on shares try net view. Also, netcat works on multiple platforms and it can be used to forward nt-specific attacks if a direct connection to the target does not exist Finally, if a password is shorter than seven characters, then lanman-hash(a modified samba client whose source code can be found from the ntbugtraq website) could be used as a password equivalent.

Re:I'm glad someone finally did this

[Mnemia]

All true, but the problem is that many home users do not understand that what they are doing is exposing files to the Internet. How many @home users do you really think could tell you that the windows SMB service should _never_ be bound to a routable protocol in an unfirewalled environment. They simply turn it on to share with the maybe one other computer they have in their house, without knowledge of the security implications of what they are doing.

Like anonymous FTP upload scanners

[Krellan]

This is almost exactly the same concept as the old anonymous FTP upload scanners. They both poll random IP addresses for poorly-configured servers that allow open access.

This program searches for Windows shares without a password, and an anonymous FTP upload scanner searches for world-writable upload directories on FTP servers that are also readable. Both have the same effect: allowing the server to be used by unauthorized third parties for anonymous file storage and retrieval.

This was very popular back in the early to mid 1990's, when anonymous FTP was the main way of transferring files on the Internet and security standards were low. Warez sites were just getting started, and most pirates didn't have the resources to put their own servers online full-time, so typically someone else's FTP site would be taken over to do the job.

I'm sure many sysadmins remember the surprise of seeing their disk space suddenly fill up over a weekend, all hidden under the ... (three dots) directory...

Super eurobeat from Avex and Konami unite in your DANCE!

True, true

[OpCode42]

What if your intended to share your mp3 space with the world?

I have transferred files quite a few times like this when the files were too big to email / couldn't get pcAnywhere or laplink working correctly. When you click "share this folder" you do exactly that. There is no legal comeback. Ignorance is no defence.

-----

Windows = Insecure

[DireManta]

Personally, I think that ShareSniffer is a tool that should have come out years ago. This method of hopping onto unsuspecting victim's shares has been around since Windows 95 first came out, attaching NetBIOS to the Dial-Up TCP/IP by default.

Anyone having Windows should be wary of its security. It's commonly known to almost anyone who has any knowledge of computers whatsoever. If there are people who get Windows 95/98/ME onto their computer without consulting someone who knows something about computers, then they made a mistake and will now be paying for it because of ShareSniffer. Boo, hoo! I feel sorry for them.

Remember, we're dealing with the same OS that has utilities to change the dreaded "Blue Screen of Death" to any color you want. What does that say about the OS when you can configure how it crashes?

"This message was sent using 100% recyclable electrons"
Jonathan C. Wohlschlag

Precicely

[p3d0]

To me, this just illustrates the idiocy of the shrinkwrap (or click-through) licenses, by reductio ad absurdum.
--
Patrick Doyle

Security Reinforcement

[Higher+Authority]

I think this is just nature's way of keeping us on our toes. Personally, I think it's about time someone (or something, in this case) came along to knock some damn common sense into people.

First, we have problems with people breaking into others' computers over the Internet, especially computers running Windows. Then, we have Microsoft ignoring the problem altogether. It's about time something came along to change that, along with users' own mindsets.

There's a serious problem here, and it's not file-swapping, it's not breaking into computers, but rather it's security (or lack thereof) thanks to ignorant or unknowing users. Sooner or later, people are going to have to realize that there is no security in trusting software without doing some research. Too many users trust the software they have without even knowing what it does.

For all you wimps out there, I hope it does become a problem; it will help correct one that's been around for a long time.

HEY!

[cybercuzco]

Porn is not useless

This will increase awareness

[JTek]

I can't tell you how many times I noticed unintentional open shares on a friend's computer, and when I informed them of the error, they respond: "So? Who cares about my data? Why would anyone want to hack little old me?" Perhaps if this software becomes popular, it will teach people that they are at risk.

On the other side of the issue, it is true that at most college dorms, open shares are the preferred way to trade files between buds on the same floor. This software will be very useful!

Josh Hinman

Re:Why Not

[Juln]

yeah, i love N'Sync! you are so right, and clearly a thoughtful person.
The only artists that are concerned about napster are the ones that don't desreve the name 'artist' : Dr. Dre, NSync, etc. who know people won't buy their album of filler if they already have the 'hit' single.
Look at Napsters website, where 'artists' speak out'. it is clear many musicians are not up in arms about napster: its the record companies, who have always been greedy, unscrupolous, and totally uncaring about either the audience or the 'artist'. So shove it up your ass.

Windows file sharing security

[Ryu2]

Doesn't Windows pop up a warning message every time you connect to the Internet with open shared volumes? At least the last version of Windows (98) I used did.

I also wonder why Microsoft doesn't put the basic notion of the ability for IP-based ACLs for file sharing in Windows out of the box.

Re:Windows file sharing security

[Higher+Authority]

Technically, no; Windows does not warn you about open shares when you connect to the Internet. Windows (usually) warns you about open shares if/when you dial-up to an ISP via a phone-line. Of course, either way, you still must explicity share something.

But, I'm not sure that the whole 'if you share it, you must want me to access it' will stand up in court. Ultimately, you decide who has access or not, not the existance of the share alone.

Optimal??

[zilym]

Why not just use a firewall to isolate your network from the big bad Internet? Think of all the extra memory and processing power wasted by running two transport protocols on each of your workstations. And think about when your internal network grows large enough to -need- a routable transport protocol internally as well as externally. Hardly an optimal solution, IMHO. Linux makes a cheap and easy firewall using the numerous floppy based router distros, or you could use OpenBSD for a really secure firewall, also at low cost.

Re:Optimal??

[Salgak1]

I do use a firewall. But I don't depend on it. Second and third layers of defense help. IF i worried about processing power and memory going to waste, then I'd also ban Winamp, Windoze Media Player, Napster et al, and Solitaire from the boxen. . .

But I **NEVER** leave a Windoze box configured as default. . .

Contract Laws (a side note)

[Stickerboy]

Clicking "I Agree" without reading a license agreement is legally binding, right?

Nope. According to contract law, there has to be 3 qualifications for a contract (license agreement, whatever) to be legally binding - one of them being that there must be a meeting of the minds, i.e. terms must be agreed to and neither side is deceiving the other. If you don't read the contract, terms can't be agreed to, can they?

This means that there is no license agreement between you and the software company; you technically have an illegal copy of the software installed.

Note that this is different from knowing the terms and agreeing to something unfair, like selling a $10 million painting for $10k.

Re:Contract Laws (a side note)

[AX.25]

>This means that there is no license agreement between you and the software company; you technically have an illegal copy of the software installed.
That is what Microsoft has been trying to tell us all along, we are nothing but software pirates and if we keep paying them money they will ignore us for a little bit longer. Well, until .net then we will have to pay every month.

Amusing.

[Fortuna+Wolf]

I really don't consider this is a troll, even though most /. users would. I agree, if you're an idiot and don't read through, you should get smacked upside the head. then again, there should also be a way to also be part of the service and not have to breach your privacy.

A clever hack!

[deefer]

But I can see the lawyers rubbing their hands already.
OK, on the one hand, we have unwitting users sharing their HDD's inadvertently to the internet. On the other hand, as the article says, they had to click to share that folder; it was a conscious decision on their part to share it.

On the plus side, there is no big single entity to sue here like with Napster, only individuals. And those individuals can always say "Ooops, I didn't realise _everyone_ could see my files!", so the suing company will burn wedges of cash tracking people down just to see them roll over. Again, the legal vultures are circling..

Great idea using Usenet, though. And everyone thought that Usenet was dead! :) The one thing that is potentially scary to Joe Public, is the scanning aspect of this. Allowing users to voluntarily upload their details to Usenet, and with a check in the Sniff program that ensures only the share you intended to publish is free of a password, and you've potentially got the Next Big Thing.

Strong data typing is for those with weak minds.

How did all this schisse porn get in my MP3 share?

[Bonker]

IT Manager: Well, I'm afraid we're taking your workstation away. Security will be by in a few minutes to escort you out of the building.

Developer: What? Why? I didn't do anything to get fired over!

IT Manager: We found all sorts of obscene materials on your harddrive in shared folders.

Developer: Huh?

IT Manager: Like German schisse porn and crushing videos.

Developer: That's ridiculous-- Oh my god! What are they doing to that poor German Shepard? Wait a second, I didn't put this on here! I swear!

IT Manager: It's your own fault. You didn't *have* to share those drives.

Developer: Yes I did! My manager told me to!

IT Manager: We're firing him, too. Seem's he has goat.cx pictures all over *his* hard drive.

It will never work.

[Eusebo]

Has anyone ever tried to move large amounts of data (say, a couple MP3s at 5MB each) from a windows share using anything less than a high-speed LAN? Unlike FTP, SMB is far from speedy and is painfully slow even on a LAN (especially considering the alternatives.) This might work in limited applications, but for the most part I'm thinking the speed would be unbearable no matter how much bandwidth you have at your disposal. Scale it up to a couple hundred users and it'll be worthless.

Re:It will never work.

[AX.25]

Try using scsi drives. IDE drives suck for multi-user access.

Re:It will never work.

[Eusebo]

Good point, but how many MP3 whores really use SCSI anything? When you can get a 60GB IDE drive for under $200 vs. more than $400 for the same capacity in SCSI the choice is fairly clear. Especially for someone on a limited income (which clearly MP3 whores are, or they'd just buy the damn CD!)

Besides a faster drive still only masks the real problem...

...Windows

I am Jebus, son of dog, savior of ham!

[DEATH+AND+HATRED]

Considering most people here are intelligent enough to see through religion, I dont think using mythical creatures is the best way to make a point.

yes and no

[JiveDonut]

When Sally runs her anon ftp server, she is most likely savvy enough to realize that people will use it.

When Sally is a Windows user who turns on sharing so her laptop and desktop can see each other, there's a high probability she doesn't realize anyone on the Internet can use her share.

I already see this happening

[fantail]

According to snort and logcheck.sh my server (with DSL connection) gets hit 1 or 2 times a day by people trying to access my samba shares.

new book

[magarity]

I predict a new book explaining how to set this up: 'Data Havens for Dummies'

Re:"Because it's there"?!?

[Siqnal+11]

No, it means you can leave your car unlocked, and you won't be held liable if somebody uses it to commit a crime.

--

Talk about a non-issue...

[MrTilney]

Ok, we've reached the point when you can get press (and a lot of /. comments) for doing just about nothing. Public windows shares? Anyone here ever go to college? Before Napster it's how we shared MP3's. It's pretty much accepted on college campuses that unpassworded shares mean "here's some stuff I'm trying to share". That's the point of the "feature" after all.

As far as internet users, it's pretty cool that we can do this on a large scale now. Protecting yourself is really easy, if you don't want someone accessing your computers, don't share. To crack, you should be circumventing security, not using it as intended. This is like running a warez site out of an anonymous ftp. Stupidity is not an excuse.

And what about the virus thing. If all of a sudden there are new files on your hard drive, don't run them. You can't remotely execute this way (of course, if someone was really dumb, and shared commonly used executables, I guess you could replace them). It's kinda like saying "What's this small round metal green thing on my porch? I think I'll pull this little pin."

In addition, this isn't new. People have been exploiting these shares for a long time on dumb cable modem/dsl users. If anything, if this takes off, it'll make people aware of the problem. It even tells you how to activate/disactivate sharing on the company's web site.

I hope someone sues them. It'll just confirm my theory that the judicial system has no clue when it comes to technology issues. It's like patents: put computer or internet in the description and the courts throw out logic, precedent, and common sense.

"Because it's there"?!?

[Wheel+Of+Fish]

Does that mean that if I leave my car unlocked, anyone walking by has the right to open the door and start rummaging through my briefcase and glove compartment?

-Gabe

Re:"Because it's there"?!?

[OpCode42]

No.

But if you leave the door open, keys in the ignition and a sign on the windscreen saying "I would ike to share this car with whoever wishes to use it"...

-----

I see this one goin down in flames for 2 reasons

[Lysol]

1. Cuz someone will launch some virus and blow up a bunch of machines and people will dump it.

2. The RIAA and eveyone other copyright group will get past the "we don't actually do the sharing, just provide the software...". I mean, if you think about it, Napster really isn't illegal. It's people using the service for trading copyrighted material that are breaking the law.

But what will probably happen is there will be fringe groups doing this style of sharing and after the man breaks them, he'll find a way to use it to his advantage...

For us in the computer community, this probably won't matter much cuz we'll find a way around it or come up with something better..

Availability of SMB over the internet

[ADRA]

This is the prime reason that @home, and any other decent ISP bans these ports inbound and outbound. Although it is a little extra pain if I want to set one up (vpn); It is an acceptable loss to what would happen if anyone had access all the insecure computers on the @home network, or others.



Thus Spake ADRA

OT: Thawte Advert

[dragonfly_blue]

Has anyone else noticed that the banner ad that Slashdot is running for Thawte certificates has a HUGE typo, the size of the ad? It says 'Unresricted', in large, bold, FLASHY letters... I wonder if Taco wrote it?

Re:OT: Thawte Advert

[dragonfly_blue]

Here's the ad, by the way, pretty funny if you ask me.

sharesniffer.

[AX.25]

So that's why port 137 keeps getting hit on my network. So who do I bill for the waste of bandwith? I only have 256 kbs SDSL.

Welcome to my sidewalk

[wytcld]

Obviously there are a lot of idiots sharing space they should rather not. But consider, if the RIAA succeeds in shutting down folks purposely providing mp3 files (say, in conjunction with Gnutella), what happens if we extend the current state of affairs and mount a lot of open shares to the Net, all innocently like - sort of a public filespace project? Then it becomes less like leaving your front door open, more like maintaining the sidewalk in front of your house.

Having a sidewalk the public can use, and which you are legally required to fix cracks in and shovel snow off, does not in addition legally require you to post a private cop out there to make sure only reputable people walk across it ... it is public space; even though the private property owner has both rights and obligations concerning it, the property owner is not responsible for public passage through that space ... even when the person on your walk is carrying items of disputed ownership. No jurisdiction would make you remove the sidewalk.

Whose fault is it?

[indecision]

I've always wondered how Micro$oft can ship a product which is susceptible to viruses, insecurities, crashing, etc. and somehow escape most of the blame and cost when those things happen.

I just hope that the public opinion at this venture will be directed appropriately, at either the OS, or the fools setting stupid options in them. But its likely that articles talking about "hackers" and "file sharing" are likely to channel such opinions at the linux community instead.

Still, silver linings, at the end of the day this might cause lots of people to be more aware of their system security. They might even be tempted to look into an OS with fewer of those problems...

Re:Why Not

[Wraithlyn]

"make the theft of intellectual property or copyrighted materials exactly the same in the eyes of the law as the theft of a physical object"

Why should they be treated "exactly the same"? They are not exactly the same. When you steal a physical object, the person you stole it from has lost something. When you make a copy of an MP3, they haven't lost anything. They haven't neccessarily lost a sale, because said copier is probably copying it because he doesn't have the money to buy it in the first place! If Napster didn't exist, said copier would probably copy a friend's CD, or tape it from the radio, or find another place to download it from, like an FTP site or IRC. Napster (and other P2P) has simply made it easier to do what millions of people have been doing forever anyway. That doesn't make it right... but it's not the same as stealing a physical object.

Legal Expectations

[dexter1]

The fundamental question here is what are reasonable expectations a person can legally have in regards to their private computer. It is wrong to suggest that anytime a users hits "public file sharing" that they understand and accept the consequences. It is also wrong to suggest that public file sharing amounts to a legal acceptance of other user's using ones personal computer. Simply because someone has made it technically feasible (without doing any cracking) to use their computer does not imply a legal acceptance. I am not saying for sure that what these people are doing is legal or illegal, but I do believe that the case for illegal is more heavily weighted.

Legal Distribution?

[Bob9113]

Given that:
"Federal law makes it illegal to knowingly obtain unauthorized access to a computer,"

Does is follow that if I post my mp3s on a website, and set up an apache mod so you have to click through a warning screen that says, "Access to these files is unauthorized.", then I am not guilty of distribution?

Then I just turn off the access log and the only person who knows is Carnivore. And everyone knows Carnivore can't trap packets unless you're already under investigation. If I clearly state that access is unauthorized, there's no reason to investigate.

Watching my traffic..

[_GNU_]

Sooo much 137/138 traffic.. it's a constant 15-20kbyte/sec flow of NetBIOS crap on broadcast.. I'm on a neighbourhood switched ethernet network with about 300-400 windows running computers.. I guess I should set up a firewall some day to block this...

What about deleting files?

[Mr.+Sketch]

If you give other users the power to add files to your MP3 directory, what's to prevent them from renaming or deleting your files? or to just cause general havok with your MP3 directory?

Just a thought. But for me and my computer, we don't share our files, except maybe via ftp or http.

Re:Bevy

[jamiemccarthy]

Since when did "bevy" specifically involve females? Even the linked definition doesn't suggest that. Somebody has been hit with the idiot paddle a few too many times

I'm not denying the part about the idiot paddle, but the definition was from my college dictionary, Webster's New World Dictionary of American English, Third College Edition, 1988.

Scroll down on the linked definition and you'll see similar definitions:

1. A company; an assembly or collection of persons, especially of ladies.

bevy n 1: a group of girls or young women

Jamie McCarthy

Oh yeah?

[scharkalvin]

So if I have a copy of DeCss on a share on my hd and these guys point to it they ain't guilty? Sorry the courts have already decided that one. They will get their balls cut off.

VBScript - Windows - Bad Mojo

What if somebody came out with a VBScript virus that automatically shared your C:\ when you opened outlook? It most likely is possible, and with programs like this it is highly likely to happen. There would be thousands of unwilling victims on the I-net. God Windows Sucks, this nightmare situation could create the largest P2P network ever. Use an operating system designed for idiots, and you may well be an idiot.